Feature #111
closed
Add support for pass rules in inline mode and associated rule application order.
Added by Will Metcalf over 14 years ago.
Updated over 14 years ago.
Description
currently in inline mode we don't have support for pass rules. This should be added. See section 1.5.1 of the snort manual for rule order application. We do not need to support activation/dynamic rules but in addition to what is listed we need to support rejectsrc and rejectdst actions.
Regards,
Will
- Assignee changed from OISF Dev to Victor Julien
- Estimated time changed from 2.50 h to 0.00 h
Will be a task. Can you explain a bit more about what we need?
- Due date changed from 04/01/2010 to 04/30/2010
- Target version changed from 0.8.2 to 0.9.0
I guess there are really two parts here. Currently we don't support pass rules, we parse them, set ACTION_PASS for them but don't actually implement the action.
grep "ACTION_PASS" * r
action-globals.h:#define ACTION_PASS 0x20
detect-parse.c: s>action = ACTION_PASS;
The second part is that we should support a user defined rule evaluation order. From the snort manual....
"config order: <order> Changes the order that rules are evaluated, eg: pass alert log activation."
"The current rule application order is:
>activation>dynamic->pass->drop->sdrop->reject->alert->log
This will ensure that a drop rule has precedence over an alert or log rule."
- Status changed from New to Closed
- % Done changed from 0 to 100
Patches applied and pushed out.
Also available in: Atom
PDF