Feature #1662: Disable action / rule ordering option - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #1662

closed

Disable action / rule ordering option

Added by Özkan KIRIK almost 9 years ago. Updated over 5 years ago.

Status:

Closed

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Effort:

Difficulty:

Label:

Description

Suricata needs a "disable action ordering" option.

Forexample; with the pseudo ruleset as below, If drop action processed first, all packets to userGroup-25 will be dropped. If pass action processed first, drop rule for Others will not be processed. So that, suricata should process rules without reordering.

#Ruleset for userGroup-25
pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied"; tls.subject:"example.com"; sid:3230002; rev:1;)
pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied"; tls.subject:"example.net"; sid:3230004; rev:1;)
drop tcp any any -> $userGroup-25 any (msg:"Default Drop For userGroup-25"; sid:3230010; rev:1;)

...
#Rules for other userGroups
...

#Ruleset for Others
drop tls any any -> any any (msg:"SSL Cert Denied"; tls.subject:"example1.com"; sid:3230007; rev:1;)
pass tcp any any -> any any (msg:"Default Pass"; sid:3230011; rev:1;)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #1662

Disable action / rule ordering option

Updated by Andreas Herz almost 9 years ago

Updated by Andreas Herz over 7 years ago

Updated by Özkan KIRIK over 7 years ago

Updated by Andreas Herz over 5 years ago