[Oisf-users] signature action drop instead of alert
Andreas Herz
aherz at oisf.net
Thu Jan 23 20:00:57 UTC 2020
On 23/01/20 at 00:15, Vieri wrote:
> I'm using Suricata 5.0.1, and I'm getting lots of "drops" for several SURICATA STREAM signatures.
In general you don't want to convert those rules to drop as they will
trigger quite often at mixed traffic environments in some cases.
> # grep -r 2210042 /var/lib/suricata/*
> /var/lib/suricata/rules/suricata.rules:alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong seq"; stream-event:timewait_ack_wrong_seq; classtype:protocol-command-decode; sid:2210042; rev:2;)
>
> If this signature has the "alert" action set in the rules file, why is EVE logging it as a "drop"?
Can you check what path is set in the suricata config?
I would guess that it's using another ruleset where you have action drop
instead of alert.
--
Andreas Herz
More information about the Oisf-users
mailing list