[Oisf-users] event var and threshold.conf

[Anoop Saldanha]

On Thu, Aug 2, 2012 at 8:03 AM, Yin Izanami <yin.izanami at gmail.com> wrote:
> Hi,
>
> We recently have upgraded our IDS to Suricata 1.3 from 1.2.1, so far it's
> been excellent and I really look forward to future releases, however we do
> have a problem with the latest stable and its handling of threshold.conf.
>
> When we start up the engine, it will report like this:
>
> <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(215)] - signature sid:2001219 has
> an event var set. The signature event var is given precedence over the
> threshold.conf one. We'll change this in the future though.
>
> I can see that it's a planned feature to be able to swap precedence between
> threshold.conf and Event Var set, but I'm unable to find out where to change
> this, or if I'm able to at all.
>

If the rule already doesn't have a event filter or a suppression set,
then you can set it in the threshold.conf and that should take care of
it.  If the rule has one set, then setting a filter/suppression inside
the conf to override the one specified in the rule, won't work.  <-
This we will change in the future, where we will let the filter for
the rule set in the conf, have precedence over the one set in the
rule.

> Our IDS now doesn't filter out activity that we've previously investigated
> and found to be benign, and the kinds of rules that these are set on are
> ones that we cannot disable completely (SSH Scanning, RDP Scanning, etc.)
>
> Any help would be appreciated.
>
> Thanks
> Yin.
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>

Can you post the rule(s)?  You probably will have to update the
filters on these rules manually for now, or maybe remove the filter
from the rules and set it inside the conf file.

-- 
Anoop Saldanha