Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ISSForum] I submitted this to ISS enhancement

from [Andres Riancho] Network Security [Permanent Link]
Subject: Re: [ISSForum] I submitted this to ISS enhancement
Date: Thu, 3 Nov 2005 14:53:43 -0300 
You could use exceptions to filter DNS_Spoof from some IP's.

On 11/3/05, CAUSEY, David <davidc@lmi.org> wrote:


Yes! I would love the ability to allow certain signatures outbound but
deny them inbound. Another issue I have is if I have a system (internal)
generating a false positive on other internal SS systems. Let's say it's
DNS Spoof for example. Currently I have to disable that signature if I
don't want to see the many many false positives produced. Fine. That
works. However, now that it's disabled I will not receive notification
when external systems cause the same thing on my internal SS box.

Is there a way to accomplish this so that I could leave the signature
enabled and collect events for external but not internal traffic?


David

-----Original Message-----
From: issforum-bounces@iss.net [mailto:issforum-bounces@iss.net] On
Behalf Of McLean, Michael R
Sent: Tuesday, November 01, 2005 10:41 AM
To: ISS user group (E-mail)
Subject: [ISSForum] I submitted this to ISS enhancement

Anyone else ever come across this or a need for it?

MRM

I need the ability to block on incoming vs outgoing in my response
filters.
EX. I want to allow HTTP_clear_text sessions initiated from internal to
flow thru.
However these sessions initiated from the outside I want to block.
The problem is I can write a rule that will allow a session from my
10.x.x.x to flow out, but I block the response.
I need to know who initiated the session to be able to block
effectively.

MRM


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.





--
Andres Riancho
http://www.securearg.net/ Secure from the source
_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ISSForum] IDS monitor HTTPs traffic, CAUSEY, David
Next by Date:  Re: [ISSForum] Access to lan/wlan, Jesper Norbøll
Previous by Thread:  Re: [ISSForum] I submitted this to ISS enhancement, CAUSEY, David
Next by Thread:  Re: [ISSForum] I submitted this to ISS enhancement, CAUSEY, David
Indexes:  [Date] [Thread] [Top] [All Lists]