Closed lowson closed 8 years ago
KillerInstinct
commented
8 years ago This should probably not happen. Do you have a PCAP? What version of Suricata?
Edit for clarification: If you have an alert key then event_type should be a valid field with a value of 'alert'.
lowson
commented
8 years ago Agreed, The traffic was only ARP request that should not have alerted as they don't match the rule. The Suricata version is 3.1.2 Going to review why the event fired.
Rule: alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9;)
KillerInstinct
commented
8 years ago The "same SRC/DST" uses the "sameip" keyword in the rule which checks what the description suggests. You may have an NAT/sniffer location issue with where you're capturing packets. But it may just be bad traffic from some process as well. If you can share the PCAP I can have a look. If it's not a sniffer location issue I'd suggest opening an issue on Suricata's issue tracker
sids like 2100527 (GPL SCAN same SRC/DST) cause suricata.py to crash, the json like does not contain event_type
Crash: module "Suricata": Traceback (most recent call last): File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 197, in process data = current.run() File "/opt/cuckoo/modules/processing/suricata.py", line 233, in run if parsed["event_type"] == "alert": KeyError: 'event_type'
eve.json line:
{"timestamp":"2016-11-13T09:05:00.117653-0500","alert":{"action":"allowed","gid":1,"signature_id":2100527,"rev":9,"signature":"GPL SCAN same SRC/DST","category":"Potentially Bad Traffic","severity":2}}