[Oisf-users] Rule Processing Order Issue

Peter Manev petermanev at gmail.com
Sat Jan 2 15:36:40 UTC 2016


On Sat, Jan 2, 2016 at 7:24 AM, Özkan KIRIK <ozkan.kirik at gmail.com> wrote:
> Hi,
>
> Happy new year to everbody,
>
> I have a trouble with suricata rule processing order. I'm trying to apply
> different policies to different users. My rules are as below. But suriacata
> processes pass first, drop second. So that, the last rule "pass any.."
> allows to every body.
>
> Can suricata run my rules as I wrote without reordering ?

You also have some default ordering that can be further configured in
suricata.yaml -
https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/suricata-2.0.11/entry/suricata.yaml.in#L1032


>
> Thanks
>
> # Ruleset for userGroup-25
> pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";
> tls.subject:"example.com"; sid:3230002; rev:1;)
> pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";
> tls.subject:"example.net"; sid:3230004; rev:1;)
> drop tcp any any -> $userGroup-25 any (msg:"Default Drop For userGroup-25";
> sid:3230010; rev:1;)
>
> ...
> #Rules for other userGroups
> ...
>
> # Ruleset for Others
> drop tls any any -> any any (msg:"SSL Cert Denied";
> tls.subject:"example1.com"; sid:3230007; rev:1;)
> pass tcp any any -> any any (msg:"Default Pass"; sid:3230010; rev:1;)
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list