[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] I submitted this to ISS enhancement



Yes! I would love the ability to allow certain signatures outbound but
deny them inbound. Another issue I have is if I have a system (internal)
generating a false positive on other internal SS systems. Let's say it's
DNS Spoof for example. Currently I have to disable that signature if I
don't want to see the many many false positives produced. Fine. That
works. However, now that it's disabled I will not receive notification
when external systems cause the same thing on my internal SS box. 

Is there a way to accomplish this so that I could leave the signature
enabled and collect events for external but not internal traffic?


David

-----Original Message-----
From: issforum-bounces@xxxxxxx [mailto:issforum-bounces@xxxxxxx] On
Behalf Of McLean, Michael R
Sent: Tuesday, November 01, 2005 10:41 AM
To: ISS user group (E-mail)
Subject: [ISSForum] I submitted this to ISS enhancement

Anyone else ever come across this or a need for it?

MRM

I need the ability to block on incoming vs outgoing in my response
filters.
EX. I want to allow HTTP_clear_text sessions initiated from internal to
flow thru.
However these sessions initiated from the outside I want to block.
The problem is I can write a rule that will allow a session from my
10.x.x.x to flow out, but I block the response.
I need to know who initiated the session to be able to block
effectively.

MRM


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.