Actions
Bug #1862
closedDuplicate alerts in IPS mode.
Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
Using git master in IPS mode can result in multiple alerts being generated where 1 is generated in IDS mode. I have replicated this with NFQ against a real target as well as using --simulate-ips with a pcap.
The simple case is hitting http://www.testmyids.com while in IPS mode. 4 alerts will be created. This can be demonstrated using the attached pcap with the attached rules file (rules are just from ET open).
In IDS mode (pcap or live) only a single alert will be generated.
The alert generated multiple times is SID 2100498. The other rule (SID: 2013028; curl user agent) is only generated once, likely due to the presence of the flow keyword.
Files
Actions