[Oisf-users] Negating Alert
Kerry Milestone
km4 at sanger.ac.uk
Wed Oct 31 14:58:07 UTC 2012
Hello,
I have managed to reduce the alerting by using pass rules.
If if am correct, I think this would give best performance as the action-order
puts a pass first reducing the requirements to even bother to inspect further
and on a large data transfer this means quite a few packets.
I also managed to work the threshold file, but in my head I am pretty sure the
pass option is the best for this particular data.
Thanks for your help.
Kerry.
On 29/10/12 14:29, Victor Julien wrote:
> I think in such a case the best bet is to fix the rules themselves, as they
> appear to be false positives. Alternatively, you could try to create custom
> "pass" rules that detect your protocols being in use. By using the pass action
> further inspection for a packet is canceled, which should eliminate the FP's.
On 29/10/12 15:46, Martin Holste wrote:
> If there's a rule that's giving you a lot of trouble, then you should
> either suppress the output for it using the threshold.conf file or
> disable the rule entirely. The suppress is nice because you can
> suppress just certain IP addresses, though for super-noisy rules like
> this, it's probably fine to just suppress it entirely. Then submit
> your false positives to the emerging threats list so the rule can be
> fixed, and you can unsuppress it later.
--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
More information about the Oisf-users
mailing list