Feature #111
closedAdd support for pass rules in inline mode and associated rule application order.
Description
currently in inline mode we don't have support for pass rules. This should be added. See section 1.5.1 of the snort manual for rule order application. We do not need to support activation/dynamic rules but in addition to what is listed we need to support rejectsrc and rejectdst actions.
Regards,
Will
Updated by Victor Julien about 14 years ago
- Assignee changed from OISF Dev to Victor Julien
- Estimated time changed from 2.50 h to 0.00 h
Will be a task. Can you explain a bit more about what we need?
Updated by Victor Julien about 14 years ago
- Due date changed from 04/01/2010 to 04/30/2010
- Target version changed from 0.8.2 to 0.9.0
Updated by Will Metcalf about 14 years ago
I guess there are really two parts here. Currently we don't support pass rules, we parse them, set ACTION_PASS for them but don't actually implement the action.
grep "ACTION_PASS" * r>action = ACTION_PASS;
action-globals.h:#define ACTION_PASS 0x20
detect-parse.c: s
The second part is that we should support a user defined rule evaluation order. From the snort manual....
"config order: <order> Changes the order that rules are evaluated, eg: pass alert log activation."
"The current rule application order is:
>activation>dynamic->pass->drop->sdrop->reject->alert->log
This will ensure that a drop rule has precedence over an alert or log rule."
Updated by Victor Julien almost 14 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Patches applied and pushed out.