Hi,<br><br>That would probably be handled with some custom rule writing.<br>If I understand your question correctly - you need to edit the particular rules (or add an edited version of the particular rule) to alert only when a connection attempt is made from your systems out to these "bad" hosts.<br>
<br>Thanks<br><br><div class="gmail_quote">On Fri, Oct 28, 2011 at 9:42 PM, Dewhirst, Rob <span dir="ltr"><<a href="mailto:robdewhirst@gmail.com">robdewhirst@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Is there a way I can have suricata NOT alert when certain rules<br>
(especially the DROP, COMPROMISED sets) are tripped for inbound<br>
connections? For some of my public systems I don't care if known bad<br>
hosts are contacting them, but I most certainly want to know if they<br>
make connections *out* to those systems.<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Peter Manev<br>
<style>#avg_ls_inline_popup{position:absolute;z-index:9999;padding:0px;margin:0px;overflow:hidden;wordWrap:break-word;color:black;font-size:10px;text-align:left;line-height:130%;}#avg_ls_inline_popup div{border-width:3px;border-style:solid;padding:3px;padding-left:8px;padding-right:8px;-moz-border-radius:5px;-webkit-border-radius:5px;}#avg_ls_inline_popup .red{border-color:#D20003;;background-color:#F5D4C1;;}#avg_ls_inline_popup .orange{border-color:#F57301;;background-color:#FFD3B0;;}#avg_ls_inline_popup .yellow{border-color:#EAA500;;background-color:#FEEFAE;;}#avg_ls_inline_popup .green{border-color:#00A120;;background-color:#C3E5CA;;}</style><div style="visibility: hidden; left: -5000px;" id="avg_ls_inline_popup">
</div>