Feature #2906
closed
Make sure that noalert is set in newly enabled rules
Added by Konstantin Klinger over 5 years ago.
Updated about 5 years ago.
Description
Suricata-update comes with the function that rules that depend on flowbits will get enabled recursively until all flowbit dependencies/conflicts are resolved. This leads to the following problem: Rules that have been previously disabled (e.g. in disable.conf) will get enabled and could produce a lot of noise (e.g. ET INFO rules that match on vulnerable Java versions). I would suggest to add the option "flowbit-no-alert" to enable flowbit dependencies "silently" and no alerts gets triggered for those rules.
- Description updated (diff)
I think its worth discussing if this should be the default behaviour rather than a flag. I had meant to do this in the initial version, and either forgot, or thought I did it already (which I obviously have not).
Jason Ish wrote:
I think its worth discussing if this should be the default behaviour rather than a flag. I had meant to do this in the initial version, and either forgot, or thought I did it already (which I obviously have not).
Yes, I would vote for default behavior. But it is also worth a discussion, because in this way we are "manipulating" the original rule in some way by adding "flowbits:noalert;".
Yeah, I feel this is sensible default as well.
Shall I include this as default behavior in the pull request?
Konstantin Klinger wrote:
Shall I include this as default behavior in the pull request?
Yes please. I'm wondering if there should be an option to turn this off? My feeling right now is no, just make it work this way.
- Status changed from New to Feedback
What do you think about doing the same thing for "xbits"? I am thinking about a resolve_xbits function and also enable depending rules silently with "noalert;".
- Status changed from Feedback to Resolved
- Status changed from Resolved to Closed
Konstantin Klinger wrote:
What do you think about doing the same thing for "xbits"? I am thinking about a resolve_xbits function and also enable depending rules silently with "noalert;".
Yes, we should consider the same for xbits.
- Target version changed from TBD to 1.1.0rc1
Also available in: Atom
PDF