Project

General

Profile

Actions

Feature #1002

open

Possible to disabling/bypassing a rule by a specific source ip and a destination ip?

Added by Hang Cheung over 10 years ago. Updated about 5 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Dear Support,

In IDS mode, we could suppress the alert by defining a "track by_src" / "track by_dst". Is it possible to do the same in IPS mode, disabling a particular rule, when a source ip / destination ip / both matched, without modifying the rule itself?

Regards,
Hang

Actions #1

Updated by Victor Julien over 10 years ago

  • Target version set to TBD
Actions #2

Updated by Andreas Herz over 9 years ago

This is also related to the general supress behaviour: https://redmine.openinfosecfoundation.org/issues/1247

Actions #3

Updated by Andreas Herz over 8 years ago

  • Assignee set to Andreas Herz
Actions #4

Updated by Victor Julien almost 8 years ago

  • Tracker changed from Support to Feature
  • Assignee changed from Andreas Herz to Anonymous

Not sure how this should look in a rule:

suppress gen_id 1, sig_id 12345, track by_both, ip 1.2.3.4, ip 5.6.7.8
suppress gen_id 1, sig_id 12345, track by_src, ip 1.2.3.4, track by_dst, ip 5.6.7.8

Not very pretty.

Maybe track by_flowbit would be a better solution, then you can have a regular rule to set the bit. Of course you can also use flowbits directly in the rule you wish to suppress, but this may be simpler when adding exceptions to an existing ruleset.

Actions #5

Updated by Andreas Herz about 5 years ago

  • Assignee set to Community Ticket
Actions

Also available in: Atom PDF