<div dir="ltr">Thank you Peter, <div><br></div><div>But this configuration doesnt disable ordering. If drop action processed first, all packets to <span style="color:rgb(80,0,80);font-size:12.8px">userGroup-25 will be dropped. If pass action processed first, drop rule for Others will not be processed. So i need to disable rule ordering.</span></div><div>Is there a way for disabling rule ordering ?</div><div><br></div><div>Thanks again.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jan 2, 2016 at 5:36 PM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Sat, Jan 2, 2016 at 7:24 AM, Özkan KIRIK <<a href="mailto:ozkan.kirik@gmail.com">ozkan.kirik@gmail.com</a>> wrote:<br>
> Hi,<br>
><br>
> Happy new year to everbody,<br>
><br>
> I have a trouble with suricata rule processing order. I'm trying to apply<br>
> different policies to different users. My rules are as below. But suriacata<br>
> processes pass first, drop second. So that, the last rule "pass any.."<br>
> allows to every body.<br>
><br>
> Can suricata run my rules as I wrote without reordering ?<br>
<br>
</span>You also have some default ordering that can be further configured in<br>
suricata.yaml -<br>
<a href="https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/suricata-2.0.11/entry/suricata.yaml.in#L1032" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/suricata-2.0.11/entry/suricata.yaml.in#L1032</a><br>
<span class=""><br>
<br>
><br>
> Thanks<br>
><br>
> # Ruleset for userGroup-25<br>
> pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";<br>
> tls.subject:"<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>"; sid:3230002; rev:1;)<br>
> pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";<br>
> tls.subject:"<a href="http://example.net" rel="noreferrer" target="_blank">example.net</a>"; sid:3230004; rev:1;)<br>
> drop tcp any any -> $userGroup-25 any (msg:"Default Drop For userGroup-25";<br>
> sid:3230010; rev:1;)<br>
><br>
> ...<br>
> #Rules for other userGroups<br>
> ...<br>
><br>
> # Ruleset for Others<br>
> drop tls any any -> any any (msg:"SSL Cert Denied";<br>
> tls.subject:"<a href="http://example1.com" rel="noreferrer" target="_blank">example1.com</a>"; sid:3230007; rev:1;)<br>
> pass tcp any any -> any any (msg:"Default Pass"; sid:3230010; rev:1;)<br>
><br>
</span>> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
--<br>
Regards,<br>
Peter Manev<br>
</font></span></blockquote></div><br></div>