[Oisf-users] Recently started getting Applayer protocol alerts
F.Tremblay
fcourrier at gmail.com
Thu Jan 31 23:58:32 UTC 2019
Also, do you get alot of "app-layer-event:applayer_proto_detection_skipped"
Not sure if they are inclued in the base *Decoder Rules*, but it is
docummented in the docs.
https://suricata.readthedocs.io/en/suricata-4.0.5/rules/app-layer.html
F.
On Thu, Jan 31, 2019 at 6:45 PM F.Tremblay <fcourrier at gmail.com> wrote:
>
> *alert ip any ![25,465,587] -> any any (msg:"SURICATA Applayer Detect
> protocol*
> * only one direction (non-SMTP)*
>
> Just make sure you double-check that traffic on those ports are actually
> SMTP; otherwise you just whitelisted them to SSH, TOR, Bitorrent, etc.
>
> Saying this because most of my alerts from " Applayer Detect protocol only
> one direction" are from BT traffic.
>
> Cheers.
>
> F.
>
> On Fri, Jan 25, 2019 at 1:44 PM Orion Poplawski <orion at nwra.com> wrote:
>
>> On 1/25/19 2:39 AM, Peter Manev wrote:
>> > On Tue, Jan 22, 2019 at 9:50 PM Orion Poplawski <orion at nwra.com> wrote:
>> >>
>> >> We're running suricata (4.1.2_1 and 4.0.13_6) on our pfSense boxes.
>> Recently
>> >> (about the 12th or 13th it seems) we've started getting lots of
>> "SURICATA
>> >> Applayer Mismatch protocol both directions" and "SURICATA Applayer
>> Detect
>> >> protocol only one direction" alerts.
>> >>
>> >> Most of the "one direction" alerts seem to be for SMTP traffic - which
>> >> according to
>> https://suricata.readthedocs.io/en/latest/rules/app-layer.html is
>> >> expected. Any reason not to exclude ports 25, 465, 587 from these
>> rules?
>> >>
>> >
>> > you can try excluding it and see/feedback how it goes?
>>
>> Okay, I'm trying with the following custom rule instead:
>>
>> alert ip any ![25,465,587] -> any any (msg:"SURICATA Applayer Detect
>> protocol
>> only one direction (non-SMTP)"; flow:established;
>> app-layer-event:applayer_detect_protocol_only_one_direction;
>> flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode;
>> sid:324000010; rev:1;)
>>
>> it does look like it immediately dropped the detections. I'll let it run
>> for
>> a while.
>>
>> >> Most of the "both directions" messages seem to be for SMB port 445
>> traffic.
>> >> Did something change recently for this kind of traffic?
>> >>
>>
>> After looking at things a bit closer, it seems like these alerts are only
>> coming from the suricata 4.0.13 machines - so perhaps there was an issue
>> that
>> was fixed later, or that this rule is not appropriate for that version of
>> suricata.
>>
>>
>> --
>> Orion Poplawski
>> Manager of NWRA Technical Systems 720-772-5637
>> NWRA, Boulder/CoRA Office FAX: 303-415-9702
>> 3380 Mitchell Lane orion at nwra.com
>> Boulder, CO 80301 https://www.nwra.com/
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190131/7e5dc5f5/attachment.html>
More information about the Oisf-users
mailing list