[Snort-sigs] Disable a rule when another trigger

Matt Watchinski mwatchinski at ...435...
Thu Jul 15 13:31:53 EDT 2010


You could set event_queue to 1.  Then snort will only generate one event.

Cheers,
-matt

On Thu, Jul 15, 2010 at 4:56 AM, Nerijus Krukauskas
<nkrukauskas at ...2420...> wrote:
>
> On Thu, July 15, 2010 11:18, Flavian Dola wrote:
>> Hi,
>>
>> Is there a way to tell snort to disable a specific rule when another
>> rule match a packet?
>>
>> In fact, I have two rules that generate two different alerts on one frame.
>> Ideally, I would like to have just only one alert. And I don't want to
>> disable permanently one of these rules.
>
> I guess, flowbits option is the answer.
>
> --
> http://nk99.org/
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-sigs mailing list