Re: blocked instead of alert

[Balla István <balla.bmf () gmail com>]

thanks for the answers so far. three questions: 1. how to look for a rule
according to sig/den id (in this case 18/129) in an event?
2. how to determine if this event has been triggered by preproc rule or
decoder rule or detection rule?
3. where I can find the pcap file you are looking for to see more details?


2013/5/7 waldo kitty <wkitty42 () windstream net>

> On 5/7/2013 12:51, beenph wrote:
> > On Tue, May 7, 2013 at 12:33 PM, waldo kitty<wkitty42 () windstream net>
>  wrote:
> > > On 5/7/2013 04:22, Balla István wrote:
> > > >      yes, it is unified2. the last piece of (Event) is the *blocked:1.*
> > >
> > > right... i see that... that is what u2spewfoo is outputting...
> >
> > While you can  help Waldo, here i think you bring a bit of confusion
> > to the thread.
>
> sorry if that is happening... it is not my intention... i only try to
> bring out
> the necessary details to solve the problem...
>
> > The initial question from Balla is, why event 1 is considered as
> > blocked while the other is not considered as blocked.
>
> right... the log file that u2spewfoo is processing will tell us why
> u2spewfoo is
> saying it is a block... that's what i'm saying... we have to get to the
> root to
> find the cause...
>
> [trim]
> > > i'm asking what a blocked entry looks like in the /raw/ unified2 log
> file...
> > > that is the key to figuring out and understanding why it is being shown
> by
> > > u2spewfoo as a block...
> >
> > Blocked is a unified2 structure field and its part of every unified2
> event type,
> > its set by the engine, thus u2spewfoo does not makeup "block", its
> > only displaying it.
>
> my thought was that something may have been misinterpreted by u2spewfoo in
> this
> case... it is possible that snort has a bug and wrote the output
> incorrectly...
> so far there's not enough info to determine that and i don't think a pcap
> will
> help without the full configuration as well... even then, that may not help
> solved the problem...
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!