Project

General

Profile

Actions
Copy link

Feature #6794

open
SJ SJ

Tie signature to live device in IPS mode

Feature #6794: Tie signature to live device in IPS mode

Added by Scott Jordan about 2 years ago. Updated about 1 year ago.

Status:
In Review
Priority:
Normal
Assignee:
Scott Jordan
Target version:
TBD
Effort:
medium
Difficulty:
medium
Label:

Description

Be able to tie signatures to a specific interface in IPS mode. Suricata supports multi-tenancy and there could be a solution going down that path, but multi-tenancy is not currently supported for IPS.

I have a solution that implements an "origin" keyword that essentially adds a role to a live device, i.e. client, server, etc., then the origin keyword is used so that a signature only triggers if a flow originated from an interface with a specific role.

I will make a PR shortly with this keyword.

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #6726: stream: stream.drop-invalid drops valid trafficClosedVictor JulienActions

VJ Updated by Victor Julien about 2 years ago Actions
Copy link
 #1

  • Related to Bug #6726: stream: stream.drop-invalid drops valid traffic added

VJ Updated by Victor Julien about 2 years ago Actions
Copy link
 #2

I've added the relation to #6726 as there is an issue with IPS livedev flow tracking.

SJ Updated by Scott Jordan about 2 years ago Actions
Copy link
 #3

  • Description updated (diff)

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #4

  • Status changed from In Progress to In Review
Actions
Copy link

Also available in: PDF Atom