[Oisf-devel] "noalert" option for xbits.
Victor Julien
lists at inliniac.net
Thu Aug 25 07:17:25 UTC 2016
On 24-08-16 23:48, amit zala wrote:
> I was trying to use xbits for tracking purpose in ippair tracking.
>
> Problem:
>
> There are 2 rules. Rule A and Rule B.
> Rule A has certain conditions, and if they are met I set one xbit.
> Rule B has certain conditions , if those are met and Rule A has set the
> xbit then, I want to trigger the alert.
>
> When I run the attack both the attacks gets logged, but I need only rule
> B to get logged.
> So, my question is, Do we have "flowbits:noalert" type support for xbits?
> How can I stop suricata from logging rules which are just setting xbits?
You can simply use 'noalert;' E.g. alert ip any any -> any any
(content:"abc"; noalert; sid:1;)
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list