[Oisf-users] limit alerting to outbound vs inbound?

[Dewhirst, Rob]

That's creating a whole bunch of rules you know you are going to
suppress. If I am going to change the rules, shouldn't I just reverse
the direction?  It's half as many rules to process.

On Mon, Oct 31, 2011 at 8:49 AM, Eric Howard <ehoward at bbg.gov> wrote:
> Why not just change the rule(s) to be bi-directional and then apply the
> threshold.conf suppression?
>
> -- Eric --
>
> On 10/31/2011 09:41 AM, Dewhirst, Rob wrote:
>> No but that would suppress the events incoming but not reverse the
>> detection logic.  The rules are written to only detect incoming
>> connections.
>>
>> On Mon, Oct 31, 2011 at 8:19 AM, Eric Howard <ehoward at bbg.gov> wrote:
>>> Have you looked at configuring your threshhold.conf file to suppress
>>> events based on teh direction of the flow?
>>>
>>> -- eric --
>>>
>>> On 10/28/2011 03:42 PM, Dewhirst, Rob wrote:
>>>> Is there a way I can have suricata NOT alert when certain rules
>>>> (especially the DROP, COMPROMISED sets) are tripped for inbound
>>>> connections?  For some of my public systems I don't care if known bad
>>>> hosts are contacting them, but I most certainly want to know if they
>>>> make connections *out* to those systems.
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>