Project

General

Profile

Actions

Support #2729

closed

/var/log/suricata/fast.log full because of a rules

Added by lolilol party about 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

hello,

I try to understand a rules in suricata, it is :

emerging-scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

because in my /var/log/suricata/fast.log is full because of this rules, and I don't understant what is is this rules exaclty.

I try a tcpdump for tcp syn packet and port 3306 and I don't have a 5 packet in 60 seconds

Actions #1

Updated by Andreas Herz about 6 years ago

Do you have a chance to sniff directly for this traffic?

The rule itself is quite simple and seems you already saw what it tries to match.

Actions #2

Updated by Victor Julien about 6 years ago

  • Subject changed from /var/log/suricata/fast.log fall because of a rules to /var/log/suricata/fast.log full because of a rules
Actions #3

Updated by Victor Julien almost 6 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF