[Oisf-users] limit alerting to outbound vs inbound?
Dewhirst, Rob
robdewhirst at gmail.com
Mon Oct 31 13:41:24 UTC 2011
No but that would suppress the events incoming but not reverse the
detection logic. The rules are written to only detect incoming
connections.
On Mon, Oct 31, 2011 at 8:19 AM, Eric Howard <ehoward at bbg.gov> wrote:
> Have you looked at configuring your threshhold.conf file to suppress
> events based on teh direction of the flow?
>
> -- eric --
>
> On 10/28/2011 03:42 PM, Dewhirst, Rob wrote:
>> Is there a way I can have suricata NOT alert when certain rules
>> (especially the DROP, COMPROMISED sets) are tripped for inbound
>> connections? For some of my public systems I don't care if known bad
>> hosts are contacting them, but I most certainly want to know if they
>> make connections *out* to those systems.
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
More information about the Oisf-users
mailing list