[Oisf-users] limit alerting to outbound vs inbound?

Peter Manev petermanev at gmail.com
Sat Oct 29 08:07:36 UTC 2011


Hi,

That would probably be handled with some custom rule writing.
If I understand your question correctly - you need to edit the particular
rules (or add an edited version of the particular rule) to alert only when
a connection attempt is made from your systems out to these "bad" hosts.

Thanks

On Fri, Oct 28, 2011 at 9:42 PM, Dewhirst, Rob <robdewhirst at gmail.com>wrote:

> Is there a way I can have suricata NOT alert when certain rules
> (especially the DROP, COMPROMISED sets) are tripped for inbound
> connections?  For some of my public systems I don't care if known bad
> hosts are contacting them, but I most certainly want to know if they
> make connections *out* to those systems.
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111029/288f603a/attachment-0002.html>


More information about the Oisf-users mailing list