My alert is generating duplicate alerts and I was wondering if there is a way to limit the amount of duplication that occurs?
I would first investigate why there are duplicate alerts, are they exactly the same or just more matches on the same traffic. Maybe duplicated traffic is forwarded etc.
Ok, looks like it isn’ really a duplication issue. However, how would I screen out the following from the alert information?
exclude:
- alert.pkts_toserver
- alert.pkts_toclient
- alert.bytes_toserver
- alert.bytes_toclient
You would have to do that with some sort of postprocessing, this data is always included for an alert, same with flow_id and some other basics.