[Oisf-users] Event var and threshold.conf

Anoop Saldanha anoopsaldanha at gmail.com
Fri Aug 3 04:03:03 UTC 2012

On Fri, Aug 3, 2012 at 9:17 AM, Yin Izanami <yin.izanami at gmail.com> wrote:
> Hi,
> We recently have upgraded our IDS to Suricata 1.3 from 1.2.1, so far it's
> been excellent and I really look forward to future releases, however we do
> have a problem with the latest stable and its handling of threshold.conf.
> When we start up the engine, it will report like this:
> <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(215)] - signature sid:2001219 has
> an event var set. The signature event var is given precedence over the
> threshold.conf one. We'll change this in the future though.
> I can see that it's a planned feature to be able to swap precedence between
> threshold.conf and Event Var set, but I'm unable to find out where to change
> this, or if I'm able to at all.

The behavior/code with regard to precedence is same between the newer
and older version.  We haven't changed any feature/code here when we
had this warning put up.  We just realized that this was our
precedence behavior, and added a warning for users who thought
otherwise.  We'll be changing this behaviour in the future.

> Our IDS now doesn't filter out activity that we've previously investigated
> and found to be benign, and the kinds of rules that these are set on are
> ones that we cannot disable completely (SSH Scanning, RDP Scanning, etc.)
> Any help would be appreciated.
> Thanks
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Possible to provide a pcap and ruleset?  You can send it privately if
it contains sensitive data.

Anoop Saldanha

More information about the Oisf-users mailing list