[Oisf-users] limit alerting to outbound vs inbound?
petermanev at gmail.com
Sat Oct 29 11:05:27 EDT 2011
that should do the trick.
may be also
"$HOME_NET -> badips " -if you know which ips the home net shouldn't be
On Sat, Oct 29, 2011 at 3:57 PM, Dewhirst, Rob <robdewhirst at gmail.com>wrote:
> Hm, replacing the "any -> $HOME_NET" with "$HOME_NET -> any" in all
> the rules? I thought of that but it seemed to simple.
> On Sat, Oct 29, 2011 at 3:07 AM, Peter Manev <petermanev at gmail.com> wrote:
> > Hi,
> > That would probably be handled with some custom rule writing.
> > If I understand your question correctly - you need to edit the particular
> > rules (or add an edited version of the particular rule) to alert only
> when a
> > connection attempt is made from your systems out to these "bad" hosts.
> > Thanks
> > On Fri, Oct 28, 2011 at 9:42 PM, Dewhirst, Rob <robdewhirst at gmail.com>
> > wrote:
> >> Is there a way I can have suricata NOT alert when certain rules
> >> (especially the DROP, COMPROMISED sets) are tripped for inbound
> >> connections? For some of my public systems I don't care if known bad
> >> hosts are contacting them, but I most certainly want to know if they
> >> make connections *out* to those systems.
> >> _______________________________________________
> >> Oisf-users mailing list
> >> Oisf-users at openinfosecfoundation.org
> >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > --
> > Peter Manev
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Oisf-users