Feature #1002
open
Possible to disabling/bypassing a rule by a specific source ip and a destination ip?
Added by Hang Cheung about 11 years ago.
Updated over 5 years ago.
Description
Dear Support,
In IDS mode, we could suppress the alert by defining a "track by_src" / "track by_dst". Is it possible to do the same in IPS mode, disabling a particular rule, when a source ip / destination ip / both matched, without modifying the rule itself?
Regards,
Hang
- Target version set to TBD
- Assignee set to Andreas Herz
- Tracker changed from Support to Feature
- Assignee changed from Andreas Herz to Anonymous
Not sure how this should look in a rule:
suppress gen_id 1, sig_id 12345, track by_both, ip 1.2.3.4, ip 5.6.7.8
suppress gen_id 1, sig_id 12345, track by_src, ip 1.2.3.4, track by_dst, ip 5.6.7.8
Not very pretty.
Maybe track by_flowbit would be a better solution, then you can have a regular rule to set the bit. Of course you can also use flowbits directly in the rule you wish to suppress, but this may be simpler when adding exceptions to an existing ruleset.
- Assignee set to Community Ticket
Also available in: Atom
PDF