Yes! I would love the ability to allow certain signatures outbound but deny them inbound. Another issue I have is if I have a system (internal) generating a false positive on other internal SS systems. Let's say it's DNS Spoof for example. Currently I have to disable that signature if I don't want to see the many many false positives produced. Fine. That works. However, now that it's disabled I will not receive notification when external systems cause the same thing on my internal SS box.
Is there a way to accomplish this so that I could leave the signature enabled and collect events for external but not internal traffic? David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McLean, Michael R Sent: Tuesday, November 01, 2005 10:41 AM To: ISS user group (E-mail) Subject: [ISSForum] I submitted this to ISS enhancement Anyone else ever come across this or a need for it? MRM I need the ability to block on incoming vs outgoing in my response filters. EX. I want to allow HTTP_clear_text sessions initiated from internal to flow thru. However these sessions initiated from the outside I want to block. The problem is I can write a rule that will allow a session from my 10.x.x.x to flow out, but I block the response. I need to know who initiated the session to be able to block effectively. MRM _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
