[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] I submitted this to ISS enhancement



You could use exceptions to filter DNS_Spoof from some IP's.

On 11/3/05, CAUSEY, David <davidc@xxxxxxx> wrote:
>
> Yes! I would love the ability to allow certain signatures outbound but
> deny them inbound. Another issue I have is if I have a system (internal)
> generating a false positive on other internal SS systems. Let's say it's
> DNS Spoof for example. Currently I have to disable that signature if I
> don't want to see the many many false positives produced. Fine. That
> works. However, now that it's disabled I will not receive notification
> when external systems cause the same thing on my internal SS box.
>
> Is there a way to accomplish this so that I could leave the signature
> enabled and collect events for external but not internal traffic?
>
>
> David
>
> -----Original Message-----
> From: issforum-bounces@xxxxxxx [mailto:issforum-bounces@xxxxxxx] On
> Behalf Of McLean, Michael R
> Sent: Tuesday, November 01, 2005 10:41 AM
> To: ISS user group (E-mail)
> Subject: [ISSForum] I submitted this to ISS enhancement
>
> Anyone else ever come across this or a need for it?
>
> MRM
>
> I need the ability to block on incoming vs outgoing in my response
> filters.
> EX. I want to allow HTTP_clear_text sessions initiated from internal to
> flow thru.
> However these sessions initiated from the outside I want to block.
> The problem is I can write a rule that will allow a session from my
> 10.x.x.x to flow out, but I block the response.
> I need to know who initiated the session to be able to block
> effectively.
>
> MRM
>
>
> _______________________________________________
> ISSForum mailing list
> ISSForum@xxxxxxx
>
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> https://atla-mm1.iss.net/mailman/listinfo/issforum
>
> To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
>
> The ISSForum mailing list is hosted and managed by Internet Security
> Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
>
>
> _______________________________________________
> ISSForum mailing list
> ISSForum@xxxxxxx
>
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> https://atla-mm1.iss.net/mailman/listinfo/issforum
>
> To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
>
> The ISSForum mailing list is hosted and managed by Internet Security
> Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
>



--
Andres Riancho
http://www.securearg.net/ Secure from the source
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.