[Oisf-users] Flowbit question
Cooper F. Nelson
cnelson at ucsd.edu
Mon Jan 11 21:43:06 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you remove the 'flowbits: noalert' directive from a rule it will
generate an alert when the flowbit is set.
- -Coop
On 1/11/2016 1:14 PM, Erich Lerch wrote:
> Sometimes it would be helpful if for a given rule which triggered an
> alert after evaluating a flowbit, it was possible to know which other
> rule was setting this very flowbit.
>
> In ET rulesets, there might be dozens of possible candidates setting a
> flowbit, so finding the right candidate is not feasible.
> Is there a possiblity to "automagically" find it? Does Suri track this
> information internally (so it might be logged somehow)?
>
> Cheers,
> erich
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJWlCHqAAoJEKIFRYQsa8FWsQoIAIYpFHyCVREPLDQb/g8yEkzG
fAT1vl/aTQ4Boc/2Amgbm0Qq/9hNT2Gwg4FVyZO3D39LhRZBmhxmtkW9eGOp6t4L
pyiAAHAUpViKzBINtStxNDM1ry75Bk+HIHj5UhHF3ZfK0QG/yZ1AQaI7aqsS6vb3
kWtmIzUTHiRDLtqL1/04ul0qZiXmNfwRLTZ3MKByNk81A119068WBli3D5WR1+4E
kSmyHEe7poCKWbdQ3eSvDE2Ri4e/wkjjLZlc/4bGsTrPvtixLUxKzNcwmMQbWRR6
dDxZ4n6HX4rBS2E7x9GBkoMwGSS99Y8BCpJcaK1BXMJyxYJfSk003qLV7CD6VvE=
=vB3a
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list