[Oisf-users] Negating Alert

Victor Julien lists at inliniac.net
Mon Oct 29 14:29:14 UTC 2012

On 10/29/2012 12:28 PM, Kerry Milestone wrote:
> Hello,
> wondering what the best method is for negating an alert.
> We use quite a bit of Aspera and also FDT for large data transfers. 
> Unfortunately, they trigger a bunch of the P2P rules.
> What would be the best way to go about hitting the signature for these specific
> transfers and then ignoring other rules?  It is not really possible to exclude
> particular IP addresses.

I think in such a case the best bet is to fix the rules themselves, as
they appear to be false positives.

Alternatively, you could try to create custom "pass" rules that detect
your protocols being in use. By using the pass action further inspection
for a packet is canceled, which should eliminate the FP's.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list