that should do the trick.<br>may be also<br>"$HOME_NET -> badips " -if you know which ips the home net shouldn't be talking with.<br><br><div class="gmail_quote">On Sat, Oct 29, 2011 at 3:57 PM, Dewhirst, Rob <span dir="ltr"><<a href="mailto:robdewhirst@gmail.com">robdewhirst@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hm, replacing the "any -> $HOME_NET" with "$HOME_NET -> any" in all<br>
the rules? I thought of that but it seemed to simple.<br>
<div><div></div><div class="h5"><br>
On Sat, Oct 29, 2011 at 3:07 AM, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:<br>
> Hi,<br>
><br>
> That would probably be handled with some custom rule writing.<br>
> If I understand your question correctly - you need to edit the particular<br>
> rules (or add an edited version of the particular rule) to alert only when a<br>
> connection attempt is made from your systems out to these "bad" hosts.<br>
><br>
> Thanks<br>
><br>
> On Fri, Oct 28, 2011 at 9:42 PM, Dewhirst, Rob <<a href="mailto:robdewhirst@gmail.com">robdewhirst@gmail.com</a>><br>
> wrote:<br>
>><br>
>> Is there a way I can have suricata NOT alert when certain rules<br>
>> (especially the DROP, COMPROMISED sets) are tripped for inbound<br>
>> connections? For some of my public systems I don't care if known bad<br>
>> hosts are contacting them, but I most certainly want to know if they<br>
>> make connections *out* to those systems.<br>
>> _______________________________________________<br>
>> Oisf-users mailing list<br>
>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
><br>
><br>
> --<br>
> Peter Manev<br>
><br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Peter Manev<br>