<div dir="ltr">As Anthony mentioned, feel free to send me a pcap off-list so I can get that signature fixed up. Also, we run a list over here: <a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a> where the ET community can report false positives, submit signatures, etc.<br><br>Regards,<br>Darien<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 10, 2015 at 7:59 AM, Rodgers, Anthony (DTMB) <span dir="ltr"><<a href="mailto:RodgersA1@michigan.gov" target="_blank">RodgersA1@michigan.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><insert mandatory evil bit joke here><br>
<br>
Seriously, though, the best way is to provide EmergingThreats with a sanitized pcap of the legitimate traffic so we/they can improve the signature, or take it out the back and shoot it.<br>
<br>
Alternatively, you can suppress alerts for this rule for certain IP addresses if your legitimate traffic is confined to them.<br>
<br>
Anthony Rodgers<br>
Security Analyst<br>
Michigan Security Operations Center (MiSOC)<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
-----Original Message-----<br>
From: <a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a> [mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a>] On Behalf Of C. L. Martinez<br>
Sent: Tuesday, February 10, 2015 02:12<br>
To: oisf-users<br>
Subject: [Oisf-users] Disable rule based on content<br>
<br>
Hi all,<br>
<br>
 I have a problem with the rule 2018456 (ET TROJAN ELF/Mayhem Checkin). It is triggered with legitimate content.<br>
<br>
 How can I disable this rule only when content is legitimate?<br>
<br>
Thanks.<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
</div></div></blockquote></div><br></div>