[Oisf-users] Rule Processing Order Issue
Özkan KIRIK
ozkan.kirik at gmail.com
Sat Jan 2 06:24:17 UTC 2016
Hi,
Happy new year to everbody,
I have a trouble with suricata rule processing order. I'm trying to apply
different policies to different users. My rules are as below. But suriacata
processes pass first, drop second. So that, the last rule "pass any.."
allows to every body.
Can suricata run my rules as I wrote without reordering ?
Thanks
# Ruleset for userGroup-25
pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied"; tls.subject:"
example.com"; sid:3230002; rev:1;)
pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied"; tls.subject:"
example.net"; sid:3230004; rev:1;)
drop tcp any any -> $userGroup-25 any (msg:"Default Drop For userGroup-25";
sid:3230010; rev:1;)
...
#Rules for other userGroups
...
# Ruleset for Others
drop tls any any -> any any (msg:"SSL Cert Denied"; tls.subject:"
example1.com"; sid:3230007; rev:1;)
pass tcp any any -> any any (msg:"Default Pass"; sid:3230010; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160102/8668f160/attachment.html>
More information about the Oisf-users
mailing list