I've noticed there are lots of rules that look for low reputation ip addresses .. Rules like this one:
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 385 alert ip [45.76.222.6,45.76.32.13,45.76.86.86,45.76.92.117,45.76.95.200,45.77.53.109,45.77.56.43,45.77.56.54,45.77.61.195,45.77.62.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 385"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522768; rev:3019;) Why only alert if traffic is going to home_net and not also from home_net? If a compromised home_net device sends udp packets (C2C / exfiltration) to any of these ip addresses, this rule won't fire, right? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
