[Oisf-devel] "noalert" option for xbits.

amit zala impmails67 at gmail.com
Wed Aug 24 21:48:24 UTC 2016


Hi All,

I was trying to use xbits for tracking purpose in ippair tracking.

Problem:

There are 2 rules. Rule A and Rule B.
Rule A has certain conditions, and if they are met I set one xbit.
Rule B has certain conditions , if those are met and Rule A has set the
xbit then, I want to trigger the alert.

When I run the attack both the attacks gets logged, but I need only rule B
to get logged.
So, my question is, Do we have "flowbits:noalert" type support for xbits?
How can I stop suricata from logging rules which are just  setting xbits?

Thanks
Amit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160825/649b331c/attachment.html>


More information about the Oisf-devel mailing list