Re: [ISSForum] I submitted this to ISS enhancement

Yes but I would still be collecting the data (1000's to 100,000's of
unnecessary events in database). I was asking if there was a method to
not even have to signature fire in certain circumstances. I don't want
to filter the results, I want to have this data not collected at all if
it is internal. I can do this with a ProventiaG appliance policy but I
don't know how with Server Sensor.

 

 

David

 

________________________________

From: Andres Riancho [mailto:andres.riancho@gmail.com] 
Sent: Thursday, November 03, 2005 12:54 PM
To: CAUSEY, David
Cc: McLean, Michael R; ISS user group (E-mail)
Subject: Re: [ISSForum] I submitted this to ISS enhancement

 

You could use exceptions to filter DNS_Spoof from some IP's.

On 11/3/05, CAUSEY, David <davidc@lmi.org> wrote: 

Yes! I would love the ability to allow certain signatures outbound but
deny them inbound. Another issue I have is if I have a system (internal)

generating a false positive on other internal SS systems. Let's say it's
DNS Spoof for example. Currently I have to disable that signature if I
don't want to see the many many false positives produced. Fine. That 
works. However, now that it's disabled I will not receive notification
when external systems cause the same thing on my internal SS box.

Is there a way to accomplish this so that I could leave the signature
enabled and collect events for external but not internal traffic?


David

-----Original Message-----
From: issforum-bounces@iss.net [mailto: issforum-bounces@iss.net
<mailto:issforum-bounces@iss.net> ] On
Behalf Of McLean, Michael R
Sent: Tuesday, November 01, 2005 10:41 AM
To: ISS user group (E-mail)
Subject: [ISSForum] I submitted this to ISS enhancement

Anyone else ever come across this or a need for it? 

MRM

I need the ability to block on incoming vs outgoing in my response
filters.
EX. I want to allow HTTP_clear_text sessions initiated from internal to
flow thru.
However these sessions initiated from the outside I want to block. 
The problem is I can write a rule that will allow a session from my
10.x.x.x to flow out, but I block the response.
I need to know who initiated the session to be able to block
effectively.

MRM


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security 
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net 

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.




-- 
Andres Riancho
http://www.securearg.net/ Secure from the source 

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.