Project

General

Profile

Actions
Copy link

Feature #8480

open
VJ

firewall: allow specifying multiple actions

Feature #8480: firewall: allow specifying multiple actions

Added by Victor Julien 2 days ago. Updated 1 day ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Currently a rule that should accept and log, should do something like

accept:packet ... (alert; ...)

It would be clearer if the actions are grouped together in the "action" field.

E.g. something like

accept,log:packet

Some other options:
{accept,log}:packet
accept:flow,log:packet
(accept|alert):packet

Not sure which syntax makes most sense. One thing to consider is if an action like accept is applied to the flow, should alert (or log) also be applied to the flow? Or just trigger once?

Related issues 3 (3 open0 closed)

Related to Suricata - Feature #8479: eve/firewall: dedicated log record typeNewActions
Related to Suricata - Feature #7701: firewall: configurable default policiesFeedbackVictor JulienActions
Related to Suricata - Bug #8444: firewall: accept:flow at app-layer hook bypasses app:td (IDS/IPS) evaluationNewActions
Actions
Copy link

Also available in: PDF Atom