Project

General

Profile

Actions

Feature #2906

closed

Make sure that noalert is set in newly enabled rules

Added by Konstantin Klinger about 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
low
Difficulty:
low
Label:

Description

Suricata-update comes with the function that rules that depend on flowbits will get enabled recursively until all flowbit dependencies/conflicts are resolved. This leads to the following problem: Rules that have been previously disabled (e.g. in disable.conf) will get enabled and could produce a lot of noise (e.g. ET INFO rules that match on vulnerable Java versions). I would suggest to add the option "flowbit-no-alert" to enable flowbit dependencies "silently" and no alerts gets triggered for those rules.

Actions #2

Updated by Victor Julien about 5 years ago

  • Description updated (diff)
Actions #3

Updated by Jason Ish about 5 years ago

I think its worth discussing if this should be the default behaviour rather than a flag. I had meant to do this in the initial version, and either forgot, or thought I did it already (which I obviously have not).

Actions #4

Updated by Konstantin Klinger about 5 years ago

Jason Ish wrote:

I think its worth discussing if this should be the default behaviour rather than a flag. I had meant to do this in the initial version, and either forgot, or thought I did it already (which I obviously have not).

Yes, I would vote for default behavior. But it is also worth a discussion, because in this way we are "manipulating" the original rule in some way by adding "flowbits:noalert;".

Actions #5

Updated by Victor Julien about 5 years ago

Yeah, I feel this is sensible default as well.

Actions #6

Updated by Konstantin Klinger about 5 years ago

Shall I include this as default behavior in the pull request?

Actions #7

Updated by Jason Ish about 5 years ago

Konstantin Klinger wrote:

Shall I include this as default behavior in the pull request?

Yes please. I'm wondering if there should be an option to turn this off? My feeling right now is no, just make it work this way.

Actions #8

Updated by Konstantin Klinger about 5 years ago

I've adjusted my commit with the changes discussed and opened a new pull request: https://github.com/OISF/suricata-update/pull/140/

Actions #9

Updated by Shivani Bhardwaj about 5 years ago

  • Status changed from New to Feedback
Actions #10

Updated by Konstantin Klinger about 5 years ago

What do you think about doing the same thing for "xbits"? I am thinking about a resolve_xbits function and also enable depending rules silently with "noalert;".

Actions #11

Updated by Shivani Bhardwaj almost 5 years ago

  • Status changed from Feedback to Resolved
Actions #12

Updated by Shivani Bhardwaj almost 5 years ago

  • Status changed from Resolved to Closed
Actions #13

Updated by Jason Ish almost 5 years ago

Konstantin Klinger wrote:

What do you think about doing the same thing for "xbits"? I am thinking about a resolve_xbits function and also enable depending rules silently with "noalert;".

Yes, we should consider the same for xbits.

Actions #14

Updated by Jason Ish almost 5 years ago

  • Target version changed from TBD to 1.1.0rc1
Actions

Also available in: Atom PDF