[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Disable a rule when another trigger
From:       Matt Watchinski <mwatchinski () sourcefire ! com>
Date:       2010-07-15 17:31:53
Message-ID: AANLkTimhYVqAYSpUMVGl2Pq5u6mAhVqu4cQNKB0ozy2U () mail ! gmail ! com
[Download RAW message or body]

You could set event_queue to 1.  Then snort will only generate one event.

Cheers,
-matt

On Thu, Jul 15, 2010 at 4:56 AM, Nerijus Krukauskas
<nkrukauskas@gmail.com> wrote:
>
> On Thu, July 15, 2010 11:18, Flavian Dola wrote:
>> Hi,
>>
>> Is there a way to tell snort to disable a specific rule when another
>> rule match a packet?
>>
>> In fact, I have two rules that generate two different alerts on one frame.
>> Ideally, I would like to have just only one alert. And I don't want to
>> disable permanently one of these rules.
>
> I guess, flowbits option is the answer.
>
> --
> http://nk99.org/
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]