[Oisf-users] Event var and threshold.conf
Anoop Saldanha
anoopsaldanha at gmail.com
Fri Aug 3 04:03:03 UTC 2012
On Fri, Aug 3, 2012 at 9:17 AM, Yin Izanami <yin.izanami at gmail.com> wrote:
> Hi,
> We recently have upgraded our IDS to Suricata 1.3 from 1.2.1, so far it's
> been excellent and I really look forward to future releases, however we do
> have a problem with the latest stable and its handling of threshold.conf.
>
> When we start up the engine, it will report like this:
>
> <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(215)] - signature sid:2001219 has
> an event var set. The signature event var is given precedence over the
> threshold.conf one. We'll change this in the future though.
>
> I can see that it's a planned feature to be able to swap precedence between
> threshold.conf and Event Var set, but I'm unable to find out where to change
> this, or if I'm able to at all.
>
The behavior/code with regard to precedence is same between the newer
and older version. We haven't changed any feature/code here when we
had this warning put up. We just realized that this was our
precedence behavior, and added a warning for users who thought
otherwise. We'll be changing this behaviour in the future.
> Our IDS now doesn't filter out activity that we've previously investigated
> and found to be benign, and the kinds of rules that these are set on are
> ones that we cannot disable completely (SSH Scanning, RDP Scanning, etc.)
>
> Any help would be appreciated.
>
> Thanks
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
Possible to provide a pcap and ruleset? You can send it privately if
it contains sensitive data.
--
Anoop Saldanha
More information about the Oisf-users
mailing list