[Oisf-users] pass rule events suddenly start getting logged as alert events upon upgrade from Suricata 1.4.1 to 1.4.3

Victor Julien lists at inliniac.net
Mon Jul 8 10:27:38 UTC 2013


On 07/08/2013 10:46 AM, Victor Julien wrote:
> On 07/04/2013 12:05 AM, Kevin Branch wrote:
>> Upon recently upgrading my sensors from Suricata 1.4.1 to 1.4.3, events
>> that trigger my "pass" rules are now getting dumped into my unified2
>> output file right alongside all the "alert" events.  Multiple sites are
>> affected by this and it's filling up my event databases with unwanted
>> non-alert events.  Did something change between 1.4.1 and 1.4.3 such
>> that I need to do something special to keep "pass" events from being
>> output to my unified2 files?  I did not change the suricata.yaml files
>> at all during the upgrade process.
> 
> I can reproduce this, looking into it.
> 

We'll track the bug here:
https://redmine.openinfosecfoundation.org/issues/864

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list