[Oisf-users] limit alerting to outbound vs inbound?

Victor Julien victor at inliniac.net
Sat Oct 29 11:09:37 EDT 2011


Note that there is currently a discussion thread on the emerging-sigs
mailing list (the source of these sigs) on what the proper direction is:

http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-October/016273.html

Speaking up there might get you heard!

Cheers,
Victor

On 10/29/2011 05:05 PM, Peter Manev wrote:
> that should do the trick.
> may be also
> "$HOME_NET -> badips " -if you know which ips the home net shouldn't be
> talking with.
> 
> On Sat, Oct 29, 2011 at 3:57 PM, Dewhirst, Rob <robdewhirst at gmail.com>wrote:
> 
>> Hm, replacing the "any -> $HOME_NET" with "$HOME_NET -> any" in all
>> the rules?  I thought of that but it seemed to simple.
>>
>> On Sat, Oct 29, 2011 at 3:07 AM, Peter Manev <petermanev at gmail.com> wrote:
>>> Hi,
>>>
>>> That would probably be handled with some custom rule writing.
>>> If I understand your question correctly - you need to edit the particular
>>> rules (or add an edited version of the particular rule) to alert only
>> when a
>>> connection attempt is made from your systems out to these "bad" hosts.
>>>
>>> Thanks
>>>
>>> On Fri, Oct 28, 2011 at 9:42 PM, Dewhirst, Rob <robdewhirst at gmail.com>
>>> wrote:
>>>>
>>>> Is there a way I can have suricata NOT alert when certain rules
>>>> (especially the DROP, COMPROMISED sets) are tripped for inbound
>>>> connections?  For some of my public systems I don't care if known bad
>>>> hosts are contacting them, but I most certainly want to know if they
>>>> make connections *out* to those systems.
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>>
>>>
>>> --
>>> Peter Manev
>>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
> 
> 
> 
> 
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



More information about the Oisf-users mailing list