Project

General

Profile

Actions
Copy link

Feature #6794

open

Tie signature to live device in IPS mode

Added by Scott Jordan 2 months ago. Updated 2 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
Scott Jordan
Target version:
TBD
Effort:
medium
Difficulty:
medium
Label:

Description

Be able to tie signatures to a specific interface in IPS mode. Suricata supports multi-tenancy and there could be a solution going down that path, but multi-tenancy is not currently supported for IPS.

I have a solution that implements an "origin" keyword that essentially adds a role to a live device, i.e. client, server, etc., then the origin keyword is used so that a signature only triggers if a flow originated from an interface with a specific role.

I will make a PR shortly with this keyword.

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #6726: stream: stream.drop-invalid drops valid trafficClosedVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien 2 months ago

  • Related to Bug #6726: stream: stream.drop-invalid drops valid traffic added
Actions
Copy link
 #2

Updated by Victor Julien 2 months ago

I've added the relation to #6726 as there is an issue with IPS livedev flow tracking.

Actions
Copy link
 #3

Updated by Scott Jordan 2 months ago

  • Description updated (diff)
Actions
Copy link

Also available in: Atom PDF