[Oisf-users] Disable rule based on content

Jay M. jskier at gmail.com
Tue Feb 10 13:36:13 UTC 2015


You can do this reactively by suppressing by rule id, IP, and port in
the threshold.conf file. You could also use a pass rule to proactively
pass what you know is legitimate traffic, however keep in mind any
passed traffic skips over the alert chain altogether.

The best solution IMO is to contact the ET mailing list, as others have noted.

--
Jay
jskier at gmail.com


On Tue, Feb 10, 2015 at 1:12 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
> Hi all,
>
>  I have a problem with the rule 2018456 (ET TROJAN ELF/Mayhem
> Checkin). It is triggered with legitimate content.
>
>  How can I disable this rule only when content is legitimate?
>
> Thanks.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/



More information about the Oisf-users mailing list