Actions
Support #2729
closed/var/log/suricata/fast.log full because of a rules
Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:
Description
hello,
I try to understand a rules in suricata, it is :
emerging-scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)
because in my /var/log/suricata/fast.log is full because of this rules, and I don't understant what is is this rules exaclty.
I try a tcpdump for tcp syn packet and port 3306 and I don't have a 5 packet in 60 seconds
Updated by Andreas Herz about 6 years ago
Do you have a chance to sniff directly for this traffic?
The rule itself is quite simple and seems you already saw what it tries to match.
Updated by Victor Julien about 6 years ago
- Subject changed from /var/log/suricata/fast.log fall because of a rules to /var/log/suricata/fast.log full because of a rules
Actions