[Oisf-users] Rule Processing Order Issue
Özkan KIRIK
ozkan.kirik at gmail.com
Sat Jan 2 22:01:31 UTC 2016
Thank you Peter,
But this configuration doesnt disable ordering. If drop action processed
first, all packets to userGroup-25 will be dropped. If pass action
processed first, drop rule for Others will not be processed. So i need to
disable rule ordering.
Is there a way for disabling rule ordering ?
Thanks again.
On Sat, Jan 2, 2016 at 5:36 PM, Peter Manev <petermanev at gmail.com> wrote:
> On Sat, Jan 2, 2016 at 7:24 AM, Özkan KIRIK <ozkan.kirik at gmail.com> wrote:
> > Hi,
> >
> > Happy new year to everbody,
> >
> > I have a trouble with suricata rule processing order. I'm trying to apply
> > different policies to different users. My rules are as below. But
> suriacata
> > processes pass first, drop second. So that, the last rule "pass any.."
> > allows to every body.
> >
> > Can suricata run my rules as I wrote without reordering ?
>
> You also have some default ordering that can be further configured in
> suricata.yaml -
>
> https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/suricata-2.0.11/entry/suricata.yaml.in#L1032
>
>
> >
> > Thanks
> >
> > # Ruleset for userGroup-25
> > pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";
> > tls.subject:"example.com"; sid:3230002; rev:1;)
> > pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";
> > tls.subject:"example.net"; sid:3230004; rev:1;)
> > drop tcp any any -> $userGroup-25 any (msg:"Default Drop For
> userGroup-25";
> > sid:3230010; rev:1;)
> >
> > ...
> > #Rules for other userGroups
> > ...
> >
> > # Ruleset for Others
> > drop tls any any -> any any (msg:"SSL Cert Denied";
> > tls.subject:"example1.com"; sid:3230007; rev:1;)
> > pass tcp any any -> any any (msg:"Default Pass"; sid:3230010; rev:1;)
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160103/44ff41aa/attachment-0002.html>
More information about the Oisf-users
mailing list