[Oisf-users] event var and threshold.conf
Yin Izanami
yin.izanami at gmail.com
Thu Aug 2 02:32:09 UTC 2012
Hi,
We recently have upgraded our IDS to Suricata 1.3 from 1.2.1, so far it's
been excellent and I really look forward to future releases, however we do
have a problem with the latest stable and its handling of threshold.conf.
When we start up the engine, it will report like this:
<Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(215)] - signature sid:2001219 has
an event var set. The signature event var is given precedence over the
threshold.conf one. We'll change this in the future though.
I can see that it's a planned feature to be able to swap precedence between
threshold.conf and Event Var set, but I'm unable to find out where to
change this, or if I'm able to at all.
Our IDS now doesn't filter out activity that we've previously investigated
and found to be benign, and the kinds of rules that these are set on are
ones that we cannot disable completely (SSH Scanning, RDP Scanning, etc.)
Any help would be appreciated.
Thanks
Yin.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120802/989c9038/attachment-0002.html>
More information about the Oisf-users
mailing list