Possible to disabling/bypassing a rule by a specific source ip and a destination ip?
In IDS mode, we could suppress the alert by defining a "track by_src" / "track by_dst". Is it possible to do the same in IPS mode, disabling a particular rule, when a source ip / destination ip / both matched, without modifying the rule itself?
Updated by Andreas Herz almost 7 years ago
This is also related to the general supress behaviour: https://redmine.openinfosecfoundation.org/issues/1247
Updated by Victor Julien over 5 years ago
- Tracker changed from Support to Feature
- Assignee changed from Andreas Herz to Anonymous
Not sure how this should look in a rule:
suppress gen_id 1, sig_id 12345, track by_both, ip 220.127.116.11, ip 18.104.22.168
suppress gen_id 1, sig_id 12345, track by_src, ip 22.214.171.124, track by_dst, ip 126.96.36.199
Not very pretty.
Maybe track by_flowbit would be a better solution, then you can have a regular rule to set the bit. Of course you can also use flowbits directly in the rule you wish to suppress, but this may be simpler when adding exceptions to an existing ruleset.