[Oisf-users] GeoIP thresholding/supression
Kevin Ross
kevross33 at googlemail.com
Fri Aug 23 14:29:01 UTC 2013
Hi,
Not sure if this is on the cards but the ability to do geoip thresholding
could be useful in cases where a sig is useful but FPs within the local
region.
i.e
suppress gen_id 1, sig_id XXXXXX, track by_src, geoip GB
That would give so much more flexibility in supression as I have signatures
which are to useful to disable but I get more FPs than anything else of
them for local stuff within the country which is legit but different IPs.
Kindest Regards,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130823/68503587/attachment.html>
More information about the Oisf-users
mailing list