You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During testing of multiple new fingerprinting signatures it was discovered that when the source being "fingerprinted" was sending a large amount of data, Sagan would continue to generate alerts. In my observation the rule should've generated 1 alert every 12 hours but proceeded to generate 50-100s/day. It does not appear to be completely ignoring the threshold or I would've seen millions of alerts.
Here is the rule:
alert any $HOME_NET any -> $HOME_NET any (msg:"Palo Alto device detected"; meta_content:"|2c|%sagan%|2c|",THREAT,TRAFFIC,SYSTEM; meta_content:"|2c|%sagan%|2c|",data,file,flood,packet,scan,spyware,url,virus,vulnerability,wildfire,start,end,deny,drop; meta_nocase; reference:url,docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/monitor/monitor-logs/log-types; metadata: fingerprint_source logs, fingerprint_os Palo-Alto, fingerprint_expire 86400; threshold: type suppress, track by_src, seconds 43200, count 1; classtype:fingerprint; sid:848006; rev:1;)
NOTE: This was observed in multiple environments across 2 other rules as well.
The text was updated successfully, but these errors were encountered:
During testing of multiple new fingerprinting signatures it was discovered that when the source being "fingerprinted" was sending a large amount of data, Sagan would continue to generate alerts. In my observation the rule should've generated 1 alert every 12 hours but proceeded to generate 50-100s/day. It does not appear to be completely ignoring the threshold or I would've seen millions of alerts.
Here is the rule:
alert any $HOME_NET any -> $HOME_NET any (msg:"Palo Alto device detected"; meta_content:"|2c|%sagan%|2c|",THREAT,TRAFFIC,SYSTEM; meta_content:"|2c|%sagan%|2c|",data,file,flood,packet,scan,spyware,url,virus,vulnerability,wildfire,start,end,deny,drop; meta_nocase; reference:url,docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/monitor/monitor-logs/log-types; metadata: fingerprint_source logs, fingerprint_os Palo-Alto, fingerprint_expire 86400; threshold: type suppress, track by_src, seconds 43200, count 1; classtype:fingerprint; sid:848006; rev:1;)
NOTE: This was observed in multiple environments across 2 other rules as well.
The text was updated successfully, but these errors were encountered: