Yes but I would still be collecting the data (1000's to 100,000's of unnecessary events in database). I was asking if there was a method to not even have to signature fire in certain circumstances. I don't want to filter the results, I want to have this data not collected at all if it is internal. I can do this with a ProventiaG appliance policy but I don't know how with Server Sensor.
David ________________________________ From: Andres Riancho [mailto:[EMAIL PROTECTED] Sent: Thursday, November 03, 2005 12:54 PM To: CAUSEY, David Cc: McLean, Michael R; ISS user group (E-mail) Subject: Re: [ISSForum] I submitted this to ISS enhancement You could use exceptions to filter DNS_Spoof from some IP's. On 11/3/05, CAUSEY, David <[EMAIL PROTECTED]> wrote: Yes! I would love the ability to allow certain signatures outbound but deny them inbound. Another issue I have is if I have a system (internal) generating a false positive on other internal SS systems. Let's say it's DNS Spoof for example. Currently I have to disable that signature if I don't want to see the many many false positives produced. Fine. That works. However, now that it's disabled I will not receive notification when external systems cause the same thing on my internal SS box. Is there a way to accomplish this so that I could leave the signature enabled and collect events for external but not internal traffic? David -----Original Message----- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of McLean, Michael R Sent: Tuesday, November 01, 2005 10:41 AM To: ISS user group (E-mail) Subject: [ISSForum] I submitted this to ISS enhancement Anyone else ever come across this or a need for it? MRM I need the ability to block on incoming vs outgoing in my response filters. EX. I want to allow HTTP_clear_text sessions initiated from internal to flow thru. However these sessions initiated from the outside I want to block. The problem is I can write a rule that will allow a session from my 10.x.x.x to flow out, but I block the response. I need to know who initiated the session to be able to block effectively. MRM _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. -- Andres Riancho http://www.securearg.net/ Secure from the source _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
