[Oisf-users] limit alerting to outbound vs inbound?

Eric Howard ehoward at bbg.gov
Mon Oct 31 08:19:09 EST 2011


Have you looked at configuring your threshhold.conf file to suppress
events based on teh direction of the flow?

-- eric --

On 10/28/2011 03:42 PM, Dewhirst, Rob wrote:
> Is there a way I can have suricata NOT alert when certain rules
> (especially the DROP, COMPROMISED sets) are tripped for inbound
> connections?  For some of my public systems I don't care if known bad
> hosts are contacting them, but I most certainly want to know if they
> make connections *out* to those systems.
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



More information about the Oisf-users mailing list