Project

General

Profile

Actions

Feature #494

closed

ipv4 or ipv6 only rules

Added by Victor Julien over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Instead of "alert ip" allow for "alert ipv4" and "alert ip4". Likewise for IPv6.

Interesting question is how this should behave wrt address vars. If HOME_NET contains both ip4 and ip6, how should a rule like "alert ipv4 $HOME_NET..." behave? Error out? Use only the ipv4 part of the addresses?


Files


Related issues 1 (0 open1 closed)

Related to Suricata - Feature #506: Update rules analyser after #494 changesClosedEric Leblond07/13/2012Actions
Actions #1

Updated by Eric Leblond over 11 years ago

I think we should only use the matching subset. But it could trigger some funny things like a null subset. It this case, we should ERROR out.

Actions #2

Updated by Victor Julien over 11 years ago

Agreed. I think the rule analyzer should also display this information.

Actions #3

Updated by Eric Leblond over 11 years ago

  • % Done changed from 0 to 80
Actions #4

Updated by Eric Leblond over 11 years ago

Current code uses only the matching part of a variable. It does not fire an error if there is no intersection. It may be enough to have the rule analysers trigger a warning.

Actions #7

Updated by Victor Julien over 11 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 80 to 100
Actions

Also available in: Atom PDF