that should do the trick.<br>may be also<br>&quot;$HOME_NET -&gt; badips &quot; -if you know which ips the home net shouldn&#39;t be talking with.<br><br><div class="gmail_quote">On Sat, Oct 29, 2011 at 3:57 PM, Dewhirst, Rob <span dir="ltr">&lt;<a href="mailto:robdewhirst@gmail.com">robdewhirst@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hm, replacing the &quot;any -&gt; $HOME_NET&quot; with &quot;$HOME_NET -&gt; any&quot; in all<br>

the rules?  I thought of that but it seemed to simple.<br>
<div><div></div><div class="h5"><br>
On Sat, Oct 29, 2011 at 3:07 AM, Peter Manev &lt;<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>&gt; wrote:<br>
&gt; Hi,<br>
&gt;<br>
&gt; That would probably be handled with some custom rule writing.<br>
&gt; If I understand your question correctly - you need to edit the particular<br>
&gt; rules (or add an edited version of the particular rule) to alert only when a<br>
&gt; connection attempt is made from your systems out to these &quot;bad&quot; hosts.<br>
&gt;<br>
&gt; Thanks<br>
&gt;<br>
&gt; On Fri, Oct 28, 2011 at 9:42 PM, Dewhirst, Rob &lt;<a href="mailto:robdewhirst@gmail.com">robdewhirst@gmail.com</a>&gt;<br>
&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt; Is there a way I can have suricata NOT alert when certain rules<br>
&gt;&gt; (especially the DROP, COMPROMISED sets) are tripped for inbound<br>
&gt;&gt; connections?  For some of my public systems I don&#39;t care if known bad<br>
&gt;&gt; hosts are contacting them, but I most certainly want to know if they<br>
&gt;&gt; make connections *out* to those systems.<br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; Oisf-users mailing list<br>
&gt;&gt; <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
&gt;&gt; <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; --<br>
&gt; Peter Manev<br>
&gt;<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Peter Manev<br>