[Oisf-users] Recently started getting Applayer protocol alerts

F.Tremblay fcourrier at gmail.com
Thu Jan 31 23:45:39 UTC 2019


*alert ip any ![25,465,587] -> any any (msg:"SURICATA Applayer Detect
protocol*
* only one direction (non-SMTP)*

Just make sure you double-check that traffic on those ports are actually
SMTP; otherwise you just whitelisted them to SSH, TOR, Bitorrent, etc.

Saying this because most of my alerts from " Applayer Detect protocol only
one direction" are from BT traffic.

Cheers.

F.

On Fri, Jan 25, 2019 at 1:44 PM Orion Poplawski <orion at nwra.com> wrote:

> On 1/25/19 2:39 AM, Peter Manev wrote:
> > On Tue, Jan 22, 2019 at 9:50 PM Orion Poplawski <orion at nwra.com> wrote:
> >>
> >> We're running suricata (4.1.2_1 and 4.0.13_6) on our pfSense boxes.
> Recently
> >> (about the 12th or 13th it seems) we've started getting lots of
> "SURICATA
> >> Applayer Mismatch protocol both directions" and "SURICATA Applayer
> Detect
> >> protocol only one direction" alerts.
> >>
> >> Most of the "one direction" alerts seem to be for SMTP traffic - which
> >> according to
> https://suricata.readthedocs.io/en/latest/rules/app-layer.html is
> >> expected.  Any reason not to exclude ports 25, 465, 587 from these
> rules?
> >>
> >
> > you can try excluding it and see/feedback how it goes?
>
> Okay, I'm trying with the following custom rule instead:
>
> alert ip any ![25,465,587] -> any any (msg:"SURICATA Applayer Detect
> protocol
> only one direction (non-SMTP)"; flow:established;
> app-layer-event:applayer_detect_protocol_only_one_direction;
> flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode;
> sid:324000010; rev:1;)
>
> it does look like it immediately dropped the detections.  I'll let it run
> for
> a while.
>
> >> Most of the "both directions" messages seem to be for SMB port 445
> traffic.
> >> Did something change recently for this kind of traffic?
> >>
>
> After looking at things a bit closer, it seems like these alerts are only
> coming from the suricata 4.0.13 machines - so perhaps there was an issue
> that
> was fixed later, or that this rule is not appropriate for that version of
> suricata.
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems          720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       orion at nwra.com
> Boulder, CO 80301                 https://www.nwra.com/
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190131/db827a5a/attachment.html>


More information about the Oisf-users mailing list