Project

General

Profile

Actions
Copy link

Bug #1862

closed

Duplicate alerts in IPS mode.

Added by Jason Ish over 7 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using git master in IPS mode can result in multiple alerts being generated where 1 is generated in IDS mode. I have replicated this with NFQ against a real target as well as using --simulate-ips with a pcap.

The simple case is hitting http://www.testmyids.com while in IPS mode. 4 alerts will be created. This can be demonstrated using the attached pcap with the attached rules file (rules are just from ET open).

In IDS mode (pcap or live) only a single alert will be generated.

The alert generated multiple times is SID 2100498. The other rule (SID: 2013028; curl user agent) is only generated once, likely due to the presence of the flow keyword.

Files

Download all files
testmyids.pcap (1.08 KB) testmyids.pcap The PCAP Jason Ish, 08/14/2016 06:47 PM
issue.rules (460 Bytes) issue.rules The rules. Jason Ish, 08/14/2016 06:47 PM
eve.json (4.76 KB) eve.json The output. Jason Ish, 08/14/2016 06:47 PM
Actions
Copy link
 #1

Updated by Andreas Herz over 7 years ago

  • Assignee set to OISF Dev
  • Target version set to 70
Actions
Copy link
 #2

Updated by Andreas Herz almost 5 years ago

  • Status changed from New to Closed

Can't be reproduced with current master

Actions
Copy link
 #3

Updated by Victor Julien over 4 years ago

  • Assignee deleted (OISF Dev)
  • Target version deleted (70)
Actions
Copy link

Also available in: Atom PDF