[Oisf-users] pass rule events suddenly start getting logged as alert events upon upgrade from Suricata 1.4.1 to 1.4.3
Victor Julien
lists at inliniac.net
Mon Jul 8 06:27:38 EDT 2013
On 07/08/2013 10:46 AM, Victor Julien wrote:
> On 07/04/2013 12:05 AM, Kevin Branch wrote:
>> Upon recently upgrading my sensors from Suricata 1.4.1 to 1.4.3, events
>> that trigger my "pass" rules are now getting dumped into my unified2
>> output file right alongside all the "alert" events. Multiple sites are
>> affected by this and it's filling up my event databases with unwanted
>> non-alert events. Did something change between 1.4.1 and 1.4.3 such
>> that I need to do something special to keep "pass" events from being
>> output to my unified2 files? I did not change the suricata.yaml files
>> at all during the upgrade process.
>
> I can reproduce this, looking into it.
>
We'll track the bug here:
https://redmine.openinfosecfoundation.org/issues/864
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list