[Emerging-Sigs] IP Rules Direction

Dewhirst, Rob robdewhirst at gmail.com
Mon Oct 31 14:42:53 EST 2011


I am not really sure.  My fundamental problem is my sensors are in the
wrong place anyway.  I was just looking for a quick fix for the noise.

I'd prefer to be able to say "these are public servers, do not enforce
DROP/COMP/RBN rules against them incoming, but do so for every other
network"

I could probably tune my address groups a lot better.

On Mon, Oct 31, 2011 at 1:45 PM, Matthew Jonkman
<jonkman at emergingthreatspro.com> wrote:
> Thanks Rob.
>
> So… is your preference bi-directional rules, or dual rulesets?
>
> Or waiting till ip_reputation is functional. :)
>
> Matt
>
>
> On Oct 29, 2011, at 1:58 PM, Dewhirst, Rob wrote:
>
>> I was encourage to pipe up in this thread based on a question I asked
>> on the OISF list.
>>
>> FWIW, we run a lot of sensors on public systems and care less about
>> scans and compromised or hostile systems contacting our public web
>> servers.
>>
>> On the other hand, we absolutely do want to know when one of our
>> systems makes an outbound connection to something in a blacklist.
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>


More information about the Emerging-sigs mailing list