[Oisf-users] Disable rule based on content

Darien Huss dhuss at emergingthreats.net
Tue Feb 10 13:27:29 UTC 2015


As Anthony mentioned, feel free to send me a pcap off-list so I can get
that signature fixed up. Also, we run a list over here:
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs where the
ET community can report false positives, submit signatures, etc.

Regards,
Darien

On Tue, Feb 10, 2015 at 7:59 AM, Rodgers, Anthony (DTMB) <
RodgersA1 at michigan.gov> wrote:

> <insert mandatory evil bit joke here>
>
> Seriously, though, the best way is to provide EmergingThreats with a
> sanitized pcap of the legitimate traffic so we/they can improve the
> signature, or take it out the back and shoot it.
>
> Alternatively, you can suppress alerts for this rule for certain IP
> addresses if your legitimate traffic is confined to them.
>
> Anthony Rodgers
> Security Analyst
> Michigan Security Operations Center (MiSOC)
>
>
> -----Original Message-----
> From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:
> oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of C. L.
> Martinez
> Sent: Tuesday, February 10, 2015 02:12
> To: oisf-users
> Subject: [Oisf-users] Disable rule based on content
>
> Hi all,
>
>  I have a problem with the rule 2018456 (ET TROJAN ELF/Mayhem Checkin). It
> is triggered with legitimate content.
>
>  How can I disable this rule only when content is legitimate?
>
> Thanks.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150210/77e85938/attachment-0002.html>


More information about the Oisf-users mailing list