<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><span style="line-height:16px;white-space:pre-wrap;font-family:monospace">Hi,</span></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<span style="line-height:16px;white-space:pre-wrap;font-family:monospace">
</span></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><span style="line-height:16px;white-space:pre-wrap;font-family:monospace">We recently have upgraded our IDS to Suricata 1.3 from 1.2.1, so far it's been excellent and I really look forward to future releases, however we do have a problem with the latest stable and its handling of threshold.conf.</span></div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><span style="line-height:16px;white-space:pre-wrap;font-family:monospace"><br></span></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<span style="line-height:16px;white-space:pre-wrap;font-family:monospace">When we start up the engine, it will report like this:</span></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<span style="line-height:16px;white-space:pre-wrap;font-family:monospace"><br></span></div><span style="line-height:16px;color:rgb(34,34,34);font-size:13px;white-space:pre-wrap;font-family:monospace"><Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(215)] - signature sid:2001219 has an event var set. The signature event var is given precedence over the threshold.conf one. We'll change this in the future though.</span><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<span style="line-height:16px;white-space:pre-wrap;font-family:monospace"><br></span></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><span style="line-height:16px;white-space:pre-wrap;font-family:monospace">I can see that it's a planned feature to be able to swap precedence between threshold.conf and Event Var set, but I'm unable to find out where to change this, or if I'm able to at all.</span></div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><span style="line-height:16px;white-space:pre-wrap;font-family:monospace"><br></span></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<span style="line-height:16px;white-space:pre-wrap;font-family:monospace">Our IDS now doesn't filter out activity that we've previously investigated and found to be benign, and the kinds of rules that these are set on are ones that we cannot disable completely (SSH Scanning, RDP Scanning, etc.)</span></div>
<div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><span style="line-height:16px;white-space:pre-wrap;font-family:monospace"><br></span></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<span style="line-height:16px;white-space:pre-wrap;font-family:monospace">Any help would be appreciated.</span></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">
<span style="line-height:16px;white-space:pre-wrap;font-family:monospace"><br></span></div><div style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><span style="line-height:16px;white-space:pre-wrap;font-family:monospace">Thanks</span></div>