[Oisf-users] Disable rule based on content

Rodgers, Anthony (DTMB) RodgersA1 at michigan.gov
Tue Feb 10 12:59:58 UTC 2015

<insert mandatory evil bit joke here>

Seriously, though, the best way is to provide EmergingThreats with a sanitized pcap of the legitimate traffic so we/they can improve the signature, or take it out the back and shoot it.

Alternatively, you can suppress alerts for this rule for certain IP addresses if your legitimate traffic is confined to them.

Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)

-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of C. L. Martinez
Sent: Tuesday, February 10, 2015 02:12
To: oisf-users
Subject: [Oisf-users] Disable rule based on content

Hi all,

 I have a problem with the rule 2018456 (ET TROJAN ELF/Mayhem Checkin). It is triggered with legitimate content.

 How can I disable this rule only when content is legitimate?

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/

More information about the Oisf-users mailing list