Feature #2906
closedMake sure that noalert is set in newly enabled rules
Description
Suricata-update comes with the function that rules that depend on flowbits will get enabled recursively until all flowbit dependencies/conflicts are resolved. This leads to the following problem: Rules that have been previously disabled (e.g. in disable.conf) will get enabled and could produce a lot of noise (e.g. ET INFO rules that match on vulnerable Java versions). I would suggest to add the option "flowbit-no-alert" to enable flowbit dependencies "silently" and no alerts gets triggered for those rules.
Updated by Konstantin Klinger over 5 years ago
Updated by Jason Ish over 5 years ago
I think its worth discussing if this should be the default behaviour rather than a flag. I had meant to do this in the initial version, and either forgot, or thought I did it already (which I obviously have not).
Updated by Konstantin Klinger over 5 years ago
Jason Ish wrote:
I think its worth discussing if this should be the default behaviour rather than a flag. I had meant to do this in the initial version, and either forgot, or thought I did it already (which I obviously have not).
Yes, I would vote for default behavior. But it is also worth a discussion, because in this way we are "manipulating" the original rule in some way by adding "flowbits:noalert;".
Updated by Victor Julien over 5 years ago
Yeah, I feel this is sensible default as well.
Updated by Konstantin Klinger over 5 years ago
Shall I include this as default behavior in the pull request?
Updated by Jason Ish over 5 years ago
Konstantin Klinger wrote:
Shall I include this as default behavior in the pull request?
Yes please. I'm wondering if there should be an option to turn this off? My feeling right now is no, just make it work this way.
Updated by Konstantin Klinger over 5 years ago
I've adjusted my commit with the changes discussed and opened a new pull request: https://github.com/OISF/suricata-update/pull/140/
Updated by Shivani Bhardwaj over 5 years ago
- Status changed from New to Feedback
Updated by Konstantin Klinger over 5 years ago
What do you think about doing the same thing for "xbits"? I am thinking about a resolve_xbits function and also enable depending rules silently with "noalert;".
Updated by Shivani Bhardwaj over 5 years ago
- Status changed from Feedback to Resolved
Updated by Shivani Bhardwaj over 5 years ago
- Status changed from Resolved to Closed
Updated by Jason Ish over 5 years ago
Konstantin Klinger wrote:
What do you think about doing the same thing for "xbits"? I am thinking about a resolve_xbits function and also enable depending rules silently with "noalert;".
Yes, we should consider the same for xbits.
Updated by Jason Ish about 5 years ago
- Target version changed from TBD to 1.1.0rc1