Feature #1002
openPossible to disabling/bypassing a rule by a specific source ip and a destination ip?
Description
Dear Support,
In IDS mode, we could suppress the alert by defining a "track by_src" / "track by_dst". Is it possible to do the same in IPS mode, disabling a particular rule, when a source ip / destination ip / both matched, without modifying the rule itself?
Regards,
Hang
Updated by Andreas Herz over 10 years ago
This is also related to the general supress behaviour: https://redmine.openinfosecfoundation.org/issues/1247
Updated by Victor Julien over 8 years ago
- Tracker changed from Support to Feature
- Assignee changed from Andreas Herz to Anonymous
Not sure how this should look in a rule:
suppress gen_id 1, sig_id 12345, track by_both, ip 1.2.3.4, ip 5.6.7.8
suppress gen_id 1, sig_id 12345, track by_src, ip 1.2.3.4, track by_dst, ip 5.6.7.8
Not very pretty.
Maybe track by_flowbit would be a better solution, then you can have a regular rule to set the bit. Of course you can also use flowbits directly in the rule you wish to suppress, but this may be simpler when adding exceptions to an existing ruleset.