Project

General

Profile

Actions

Feature #1662

closed

Disable action / rule ordering option

Added by Özkan KIRIK almost 7 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Suricata needs a "disable action ordering" option.

Forexample; with the pseudo ruleset as below, If drop action processed first, all packets to userGroup-25 will be dropped. If pass action processed first, drop rule for Others will not be processed. So that, suricata should process rules without reordering.

#Ruleset for userGroup-25
pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied"; tls.subject:"example.com"; sid:3230002; rev:1;)
pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied"; tls.subject:"example.net"; sid:3230004; rev:1;)
drop tcp any any -> $userGroup-25 any (msg:"Default Drop For userGroup-25"; sid:3230010; rev:1;)

...
#Rules for other userGroups
...

#Ruleset for Others
drop tls any any -> any any (msg:"SSL Cert Denied"; tls.subject:"example1.com"; sid:3230007; rev:1;)
pass tcp any any -> any any (msg:"Default Pass"; sid:3230011; rev:1;)

Actions

Also available in: Atom PDF