[Oisf-users] Negating Alert
Martin Holste
mcholste at gmail.com
Mon Oct 29 15:46:12 UTC 2012
If there's a rule that's giving you a lot of trouble, then you should
either suppress the output for it using the threshold.conf file or
disable the rule entirely. The suppress is nice because you can
suppress just certain IP addresses, though for super-noisy rules like
this, it's probably fine to just suppress it entirely. Then submit
your false positives to the emerging threats list so the rule can be
fixed, and you can unsuppress it later.
On Mon, Oct 29, 2012 at 9:29 AM, Victor Julien <lists at inliniac.net> wrote:
> On 10/29/2012 12:28 PM, Kerry Milestone wrote:
>> Hello,
>>
>> wondering what the best method is for negating an alert.
>>
>> We use quite a bit of Aspera and also FDT for large data transfers.
>> Unfortunately, they trigger a bunch of the P2P rules.
>>
>> What would be the best way to go about hitting the signature for these specific
>> transfers and then ignoring other rules? It is not really possible to exclude
>> particular IP addresses.
>
> I think in such a case the best bet is to fix the rules themselves, as
> they appear to be false positives.
>
> Alternatively, you could try to create custom "pass" rules that detect
> your protocols being in use. By using the pass action further inspection
> for a packet is canceled, which should eliminate the FP's.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
More information about the Oisf-users
mailing list