sid 重复
xisafe opened this issue · 2 comments
alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "CobaltStrike ARP Scan module"; flow:established; content:"POST"; http_method; content:"(ARP)"; http_client_body; content:"Scanner module is complete"; http_client_body; distance:0; sid:3016004; rev:1; metadata:created_at 2018_11_15,by al0ne;)
alert http any any -> any any (msg:"CobatlStrikt team servers 200 OK Space"; flow:from_server,established; content:"200"; http_stat_code; content:"HTTP/1.1 200 OK|20|"; http_response_line; threshold: type both, track by_src, count 3, seconds 60; reference:url,blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/; sid:3016004; rev:1; metadata:created_at 2019_02_27,by al0ne;)
已修改sid 另外用suricata测试了下,没别的问题了
suricata -c /etc/suricata/suricata.yaml -s suricata-ids.rules -T
8/4/2019 -- 02:19:23 - - Running suricata under test mode
8/4/2019 -- 02:19:23 - - This is Suricata version 4.1.0 RELEASE
8/4/2019 -- 02:19:23 - - CPUs/cores online: 2
8/4/2019 -- 02:19:24 - - eve-log output device (regular) initialized: eve.json
8/4/2019 -- 02:19:24 - - stats output device (regular) initialized: stats.log
8/4/2019 -- 02:19:24 - - 2 rule files processed. 10667 rules successfully loaded, 0 rules failed
8/4/2019 -- 02:19:24 - - Threshold config parsed: 0 rule(s) found
8/4/2019 -- 02:19:24 - - 10668 signatures processed. 0 are IP-only rules, 3830 are inspecting packet payload, 8429 inspect application layer, 0 are decoder event only
8/4/2019 -- 02:19:26 - - Configuration provided was successfully loaded. Exiting.