Project

General

Profile

Support #2729

/var/log/suricata/fast.log full because of a rules

Added by lolilol party 5 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
medium
Label:

Description

hello,

I try to understand a rules in suricata, it is :

emerging-scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

because in my /var/log/suricata/fast.log is full because of this rules, and I don't understant what is is this rules exaclty.

I try a tcpdump for tcp syn packet and port 3306 and I don't have a 5 packet in 60 seconds

History

#1

Updated by Andreas Herz 5 months ago

Do you have a chance to sniff directly for this traffic?

The rule itself is quite simple and seems you already saw what it tries to match.

#2

Updated by Victor Julien 4 months ago

  • Subject changed from /var/log/suricata/fast.log fall because of a rules to /var/log/suricata/fast.log full because of a rules
#3

Updated by Victor Julien about 1 month ago

  • Status changed from New to Closed

Also available in: Atom PDF