Project

General

Profile

Actions
Copy link

Feature #1662

closed

Disable action / rule ordering option

Added by Özkan KIRIK over 8 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Suricata needs a "disable action ordering" option.

Forexample; with the pseudo ruleset as below, If drop action processed first, all packets to userGroup-25 will be dropped. If pass action processed first, drop rule for Others will not be processed. So that, suricata should process rules without reordering.

#Ruleset for userGroup-25
pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied"; tls.subject:"example.com"; sid:3230002; rev:1;)
pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied"; tls.subject:"example.net"; sid:3230004; rev:1;)
drop tcp any any -> $userGroup-25 any (msg:"Default Drop For userGroup-25"; sid:3230010; rev:1;)

...
#Rules for other userGroups
...

#Ruleset for Others
drop tls any any -> any any (msg:"SSL Cert Denied"; tls.subject:"example1.com"; sid:3230007; rev:1;)
pass tcp any any -> any any (msg:"Default Pass"; sid:3230011; rev:1;)

Actions
Copy link
 #1

Updated by Andreas Herz over 8 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link
 #2

Updated by Andreas Herz almost 7 years ago

What order do you want to achieve? That's something you might want to solve when setting up the rules so that you have proper pass rules.

Actions
Copy link
 #3

Updated by Özkan KIRIK almost 7 years ago

Andreas Herz wrote:

What order do you want to achieve? That's something you might want to solve when setting up the rules so that you have proper pass rules.

The problem occurs when defining a default policy. I think the solution as you explain should be like

drop tls any any -> ! [$userGroup-25, $userGroup-23, $userGroup-24, $userGroup-21, ... ] any (msg:"SSL Cert Denied"; tls.subject:"example1.com"; sid:3230007; rev:1;)
pass tcp any any -> ! [$userGroup-25, $userGroup-23, $userGroup-24, $userGroup-21, ... ] any (msg:"Default Pass"; sid:3230011; rev:1;)

If this is ok, we can close this feature request.

Actions
Copy link
 #4

Updated by Andreas Herz about 5 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions
Copy link

Also available in: Atom PDF