[Oisf-users] Recently started getting Applayer protocol alerts
Orion Poplawski
orion at nwra.com
Fri Jan 25 18:44:45 UTC 2019
On 1/25/19 2:39 AM, Peter Manev wrote:
> On Tue, Jan 22, 2019 at 9:50 PM Orion Poplawski <orion at nwra.com> wrote:
>>
>> We're running suricata (4.1.2_1 and 4.0.13_6) on our pfSense boxes. Recently
>> (about the 12th or 13th it seems) we've started getting lots of "SURICATA
>> Applayer Mismatch protocol both directions" and "SURICATA Applayer Detect
>> protocol only one direction" alerts.
>>
>> Most of the "one direction" alerts seem to be for SMTP traffic - which
>> according to https://suricata.readthedocs.io/en/latest/rules/app-layer.html is
>> expected. Any reason not to exclude ports 25, 465, 587 from these rules?
>>
>
> you can try excluding it and see/feedback how it goes?
Okay, I'm trying with the following custom rule instead:
alert ip any ![25,465,587] -> any any (msg:"SURICATA Applayer Detect protocol
only one direction (non-SMTP)"; flow:established;
app-layer-event:applayer_detect_protocol_only_one_direction;
flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode;
sid:324000010; rev:1;)
it does look like it immediately dropped the detections. I'll let it run for
a while.
>> Most of the "both directions" messages seem to be for SMB port 445 traffic.
>> Did something change recently for this kind of traffic?
>>
After looking at things a bit closer, it seems like these alerts are only
coming from the suricata 4.0.13 machines - so perhaps there was an issue that
was fixed later, or that this rule is not appropriate for that version of
suricata.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 https://www.nwra.com/
More information about the Oisf-users
mailing list