al0ne / suricata-rules Goto Github PK

I am receiving an alert on: 3016006 from an iPhone on my network.
Is this a false positive?

10/30/2019-09:05:10.232851 [] [1:3016006:1] Weevely PHP Backdoor Response [] [Classification: Executable Code was Detected] [Priority: 1] {TCP} 70.186.27.16:80 -> 192.XXX.XXX.XXX:40060

This rule don't have classtype field.

alert tcp $HOME_NET any -> any any (msg: "http GET data"; flow: established; content:"|47 45 54|"; depth: 10; content:"|0d 0a 0d 0a|"; depth:500; pcre:"/\x0d\x0a\x0d\x0a[^GETPOSTPUTHEAD\{\<\-][\x00-\xff]{100,200}/"; sid: 3013004; rev: 1; metadata:created_at 2018_10_17,by al0ne;)

优化了很多天了，一直解决不了，始终kernel的rx_drop 50%丢包，其它统计指标都正常。和同事弄了很多天了，看了您的文章，操作很多遍了，查了很多资料，很奇怪，htop看内存，cpu都充足，大概5Gb/s的流量，奇怪为什么suricata pfring的zc模式还会处理不过来。非常想和您取得联系，得到您的帮助。拜托大佬

3003001 false positive when query whois databases.
This is payload.
"payload_printable": "ation: Microsoft Corporation\r\nTech Street: One Microsoft Way\r\nTech City: Redmond\r\nTech State/Province: WA\r\nTech Postal Code: 98052\r\nTech Country: US\r\nTech Phone: +1.4258828080\r\nTech Phone Ext: \r\nTech Fax: +1.4259367329\r\nTech Fax Ext: \r\nTech Email: [email protected]\r\nName Server: ns1.msft.net\r\nName Server: ns2.msft.net\r\nName Server: ns3.msft.net\r\nName Server: ns4.msft.net\r\nDNSSEC: Unsigned Delegation\r\nRegistrar Abuse Contact Email: [email protected]\r\nRegistrar Abuse Contact Phone: +44.2074218250\r\nURL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/\r\n>>> Last update of WHOIS database: 2019-08-06T06:10:10Z <<<\r\n\r\nFor more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en\r\n\r\nPlease query the RDDS service of the Registrar of Record identified in this\r\noutput for information on how to contact the Registrant, Admin, or Tech contact\r\nof the queried domain name.\r\n\r\n-------------------------------------------------------------------------------\r\nCom Laude registers, maintains and renews domain names around the world for \r\nleading intellectual property owners and the law firms that support them. \r\nIf you have queries about this domain, you may contact us via our website \r\nat www.comlaude.com. \r\n-------------------------------------------------------------------------------\r\n\r\nThe ",

• 当前不知道什么环境下使用哪些规则
• 不知道redis存还是到文件->elk
• suricata 优化，部署在 docker(host) 和 宿主机的差别。

当然我都可以测试，但是没有系统的说明，差别到底多大，影响的因素有哪些

多这个概念至少得1/3吧

1/8/2019 -- 11:15:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 3016011 setup buffer http_response_line but didn't add matches to it
1/8/2019 -- 11:15:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"CobatlStrikt team servers 200 OK Space"; flow:from_server,established; content:"200"; http_stat_code; content:"HTTP/1.1 200 OK|20|"; http_response_line; threshold: type both, track by_src, count 3, seconds 60; reference:url,blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/; sid:3016011; rev:1; metadata:created_at 2019_02_27,by al0ne;)" from file /var/lib/suricata/rules/suricata.rules at line 9951

Version：suricata V4.14
大概看了下好像是多了个 http_response_line，去掉之后就不报错了，不过由于学艺不精，不是很熟悉 Snort 语法，还望大佬再确认下

hi，我们是一家专注API的安全公司，看到你的github上有关于流量底层数据处理的分享，觉得非常专业，目前我们也遇到类似的问题， 请问下能否深入交流一下。