My external sensors for one network are placed at the external router. This sensor sees traffic for two /23 subnets. I would like to filter either all inbound traffic, or if necessary, all traffic to the second subnet. Outbound traffic might still be nice for Acceptable-Use violations, but I don't want to see any of the inbound traffic for the second subnet.
Now then, how to do this? If I go into my 2.2.2 Director, I can go to excluded subnets, but there I must add a Sig, Sub-sig pair to the subnet. Does this mean that I must place an entry for every possible sig, sub-sig pair? Or is there a wild-card that can be used to match all sigs and sub-sigs? BTW, this would also be nice for other filters were I have to add a line for every possible sub-sig for a sig like packet fragmentation. (I have one server that uses fragmentation, and I keep having to add filters to catch lesser-used sub-sigs.)
As always, I am so grateful to y'all for your help....
Upgrade to 2.2.3 on the director and 3.0(1)S4 on the sensor.
The new 2.2.3 Unix Director allows you exclude (or even include, which is a new feature in 3.0 that overrides exludes) with the use of wildcards.
You can exclude all signatures, or exclude all subsignatures for a given set of signatures.
You can also use the keyword IN to filter on all Protected Networks, or the keyword OUT to filter on all addresses outside the Protected Networks. These 2 new keywords can be used for either the source and/or destination addresses in your filter.
I think once you've upgraded to 2.2.3 and the 3.0 sensor then you will be able to do everything you requested in your post.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...