[Oisf-users] Negating Alert

Kerry Milestone km4 at sanger.ac.uk
Wed Oct 31 14:58:07 UTC 2012


I have managed to reduce the alerting by using pass rules. 

If if am correct, I think this would give best performance as the action-order
puts a pass first reducing the requirements to even bother to inspect further
and on a large data transfer this means quite a few packets.

I also managed to work the threshold file, but in my head I am pretty sure the
pass option is the best for this particular data.

Thanks for your help.


On 29/10/12 14:29, Victor Julien wrote:
> I think in such a case the best bet is to fix the rules themselves, as they
> appear to be false positives. Alternatively, you could try to create custom
> "pass" rules that detect your protocols being in use. By using the pass action
> further inspection for a packet is canceled, which should eliminate the FP's. 

On 29/10/12 15:46, Martin Holste wrote:
> If there's a rule that's giving you a lot of trouble, then you should
> either suppress the output for it using the threshold.conf file or
> disable the rule entirely.  The suppress is nice because you can
> suppress just certain IP addresses, though for super-noisy rules like
> this, it's probably fine to just suppress it entirely.  Then submit
> your false positives to the emerging threats list so the rule can be
> fixed, and you can unsuppress it later.

 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 

More information about the Oisf-users mailing list