Sorry -- wrong maillinglist. :) On Tuesday, July 11, 2017 at 11:11:09 AM UTC-7, Ian Brown wrote: > > I've noticed there are lots of rules that look for low reputation ip > addresses .. Rules like this one: > > ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 385 > alert ip > [45.76.222.6,45.76.32.13,45.76.86.86,45.76.92.117,45.76.95.200,45.77.53.109,45.77.56.43,45.77.56.54,45.77.61.195,45.77.62.230] > > any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node > Traffic group 385"; reference:url, > doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, > track by_src, seconds 60, count 1; classtype:misc-attack; > flowbits:set,ET.TorIP; sid:2522768; rev:3019;) > > Why only alert if traffic is going to home_net and not also from home_net? > If a compromised home_net device sends udp packets (C2C / exfiltration) to > any of these ip addresses, this rule won't fire, right? >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
