Actions
Feature #2906
closed
KK
KK
Make sure that noalert is set in newly enabled rules
Feature #2906:
Make sure that noalert is set in newly enabled rules
Effort:
low
Difficulty:
low
Label:
Description
Suricata-update comes with the function that rules that depend on flowbits will get enabled recursively until all flowbit dependencies/conflicts are resolved. This leads to the following problem: Rules that have been previously disabled (e.g. in disable.conf) will get enabled and could produce a lot of noise (e.g. ET INFO rules that match on vulnerable Java versions). I would suggest to add the option "flowbit-no-alert" to enable flowbit dependencies "silently" and no alerts gets triggered for those rules.
Actions