[Oisf-users] GeoIP thresholding/supression
Russell Fulton
r.fulton at auckland.ac.nz
Fri Aug 23 19:44:36 UTC 2013
I currently do stuff like this once I have the alerts in the db. It would certainly be nice to do this through the thresholding.
R
On 24/08/2013, at 2:29 AM, Kevin Ross <kevross33 at googlemail.com>
wrote:
> Hi,
>
> Not sure if this is on the cards but the ability to do geoip thresholding could be useful in cases where a sig is useful but FPs within the local region.
>
> i.e
> suppress gen_id 1, sig_id XXXXXX, track by_src, geoip GB
>
> That would give so much more flexibility in supression as I have signatures which are to useful to disable but I get more FPs than anything else of them for local stuff within the country which is legit but different IPs.
>
>
> Kindest Regards,
> Kevin
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
More information about the Oisf-users
mailing list