[Oisf-devel] "noalert" option for xbits.

Victor Julien lists at inliniac.net
Thu Aug 25 07:17:25 UTC 2016

On 24-08-16 23:48, amit zala wrote:
> I was trying to use xbits for tracking purpose in ippair tracking.
> Problem:
> There are 2 rules. Rule A and Rule B.
> Rule A has certain conditions, and if they are met I set one xbit.
> Rule B has certain conditions , if those are met and Rule A has set the
> xbit then, I want to trigger the alert.
> When I run the attack both the attacks gets logged, but I need only rule
> B to get logged.
> So, my question is, Do we have "flowbits:noalert" type support for xbits?
> How can I stop suricata from logging rules which are just  setting xbits?

You can simply use 'noalert;' E.g. alert ip any any -> any any
(content:"abc"; noalert; sid:1;)

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list