[Oisf-users] limit alerting to outbound vs inbound?

Dewhirst, Rob robdewhirst at gmail.com
Sat Oct 29 09:57:14 EDT 2011


Hm, replacing the "any -> $HOME_NET" with "$HOME_NET -> any" in all
the rules?  I thought of that but it seemed to simple.

On Sat, Oct 29, 2011 at 3:07 AM, Peter Manev <petermanev at gmail.com> wrote:
> Hi,
>
> That would probably be handled with some custom rule writing.
> If I understand your question correctly - you need to edit the particular
> rules (or add an edited version of the particular rule) to alert only when a
> connection attempt is made from your systems out to these "bad" hosts.
>
> Thanks
>
> On Fri, Oct 28, 2011 at 9:42 PM, Dewhirst, Rob <robdewhirst at gmail.com>
> wrote:
>>
>> Is there a way I can have suricata NOT alert when certain rules
>> (especially the DROP, COMPROMISED sets) are tripped for inbound
>> connections?  For some of my public systems I don't care if known bad
>> hosts are contacting them, but I most certainly want to know if they
>> make connections *out* to those systems.
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
> --
> Peter Manev
>


More information about the Oisf-users mailing list