Project

General

Profile

Actions
Copy link

Feature #1002

open

Possible to disabling/bypassing a rule by a specific source ip and a destination ip?

Added by Hang Cheung about 11 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Dear Support,

In IDS mode, we could suppress the alert by defining a "track by_src" / "track by_dst". Is it possible to do the same in IPS mode, disabling a particular rule, when a source ip / destination ip / both matched, without modifying the rule itself?

Regards,
Hang

Actions
Copy link
 #1

Updated by Victor Julien about 11 years ago

  • Target version set to TBD
Actions
Copy link
 #2

Updated by Andreas Herz about 10 years ago

This is also related to the general supress behaviour: https://redmine.openinfosecfoundation.org/issues/1247

Actions
Copy link
 #3

Updated by Andreas Herz almost 9 years ago

  • Assignee set to Andreas Herz
Actions
Copy link
 #4

Updated by Victor Julien over 8 years ago

  • Tracker changed from Support to Feature
  • Assignee changed from Andreas Herz to Anonymous

Not sure how this should look in a rule:

suppress gen_id 1, sig_id 12345, track by_both, ip 1.2.3.4, ip 5.6.7.8
suppress gen_id 1, sig_id 12345, track by_src, ip 1.2.3.4, track by_dst, ip 5.6.7.8

Not very pretty.

Maybe track by_flowbit would be a better solution, then you can have a regular rule to set the bit. Of course you can also use flowbits directly in the rule you wish to suppress, but this may be simpler when adding exceptions to an existing ruleset.

Actions
Copy link
 #5

Updated by Andreas Herz over 5 years ago

  • Assignee set to Community Ticket
Actions
Copy link

Also available in: Atom PDF