Snort mailing list archives

Re: Disable a rule when another trigger

From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Thu, 15 Jul 2010 13:31:53 -0400

You could set event_queue to 1.  Then snort will only generate one event.

Cheers,
-matt

On Thu, Jul 15, 2010 at 4:56 AM, Nerijus Krukauskas
<nkrukauskas () gmail com> wrote:


On Thu, July 15, 2010 11:18, Flavian Dola wrote:

Hi,

Is there a way to tell snort to disable a specific rule when another
rule match a packet?

In fact, I have two rules that generate two different alerts on one frame.
Ideally, I would like to have just only one alert. And I don't want to
disable permanently one of these rules.


I guess, flowbits option is the answer.

--
http://nk99.org/



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Disable a rule when another trigger Flavian Dola (Jul 15)
- Re: Disable a rule when another trigger Nerijus Krukauskas (Jul 15)
  - Re: Disable a rule when another trigger Matt Watchinski (Jul 15)