You could use exceptions to filter DNS_Spoof from some IP's. On 11/3/05, CAUSEY, David <[EMAIL PROTECTED]> wrote: > > Yes! I would love the ability to allow certain signatures outbound but > deny them inbound. Another issue I have is if I have a system (internal) > generating a false positive on other internal SS systems. Let's say it's > DNS Spoof for example. Currently I have to disable that signature if I > don't want to see the many many false positives produced. Fine. That > works. However, now that it's disabled I will not receive notification > when external systems cause the same thing on my internal SS box. > > Is there a way to accomplish this so that I could leave the signature > enabled and collect events for external but not internal traffic? > > > David > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of McLean, Michael R > Sent: Tuesday, November 01, 2005 10:41 AM > To: ISS user group (E-mail) > Subject: [ISSForum] I submitted this to ISS enhancement > > Anyone else ever come across this or a need for it? > > MRM > > I need the ability to block on incoming vs outgoing in my response > filters. > EX. I want to allow HTTP_clear_text sessions initiated from internal to > flow thru. > However these sessions initiated from the outside I want to block. > The problem is I can write a rule that will allow a session from my > 10.x.x.x to flow out, but I block the response. > I need to know who initiated the session to be able to block > effectively. > > MRM > > > _______________________________________________ > ISSForum mailing list > [email protected] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo/issforum > > To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet Security > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > > > _______________________________________________ > ISSForum mailing list > [email protected] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo/issforum > > To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet Security > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. >
-- Andres Riancho http://www.securearg.net/ Secure from the source _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
