[Oisf-users] GeoIP thresholding/supression

Kevin Ross kevross33 at googlemail.com
Fri Aug 23 14:29:01 UTC 2013


Not sure if this is on the cards but the ability to do geoip thresholding
could be useful in cases where a sig is useful but FPs within the local

suppress gen_id 1, sig_id XXXXXX, track by_src, geoip GB

That would give so much more flexibility in supression as I have signatures
which are to useful to disable but I get more FPs than anything else of
them for local stuff within the country which is legit but different IPs.

Kindest Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130823/68503587/attachment.html>

More information about the Oisf-users mailing list