[Oisf-users] Flowbit question
Erich Lerch
erich.lerch at gmail.com
Mon Jan 11 22:20:18 UTC 2016
Thanks, that's a possibility I thought about, too.
I thought there might be a "silent" way, though, and one without having
to edit the rulesets.
erich
On 11.01.2016 22:43, Cooper F. Nelson wrote:
> If you remove the 'flowbits: noalert' directive from a rule it will
> generate an alert when the flowbit is set.
>
> -Coop
>
> On 1/11/2016 1:14 PM, Erich Lerch wrote:
>> Sometimes it would be helpful if for a given rule which triggered an
>> alert after evaluating a flowbit, it was possible to know which other
>> rule was setting this very flowbit.
>
>> In ET rulesets, there might be dozens of possible candidates setting a
>> flowbit, so finding the right candidate is not feasible.
>> Is there a possiblity to "automagically" find it? Does Suri track this
>> information internally (so it might be logged somehow)?
>
>> Cheers,
>> erich
>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
>
>
>
More information about the Oisf-users
mailing list