[Oisf-users] Rule Processing Order Issue

Peter Manev petermanev at gmail.com
Tue Jan 5 10:00:52 UTC 2016 

On Sun, 2016-01-03 at 00:01 +0200, Özkan KIRIK wrote:
> Thank you Peter, 
> 
> 
> But this configuration doesnt disable ordering. If drop action
> processed first, all packets to userGroup-25 will be dropped. If pass
> action processed first, drop rule for Others will not be processed. So
> i need to disable rule ordering.
> Is there a way for disabling rule ordering ?

Aha - so you want this to be on a per "rule group" type of thing.
Don't think this is possible now. A suggestion below for a workaround
(if i understood the issue correctly)- 

> 
> 
> Thanks again.
> 
> On Sat, Jan 2, 2016 at 5:36 PM, Peter Manev <petermanev at gmail.com>
> wrote:
>         On Sat, Jan 2, 2016 at 7:24 AM, Özkan KIRIK
>         <ozkan.kirik at gmail.com> wrote:
>         > Hi,
>         >
>         > Happy new year to everbody,
>         >
>         > I have a trouble with suricata rule processing order. I'm
>         trying to apply
>         > different policies to different users. My rules are as
>         below. But suriacata
>         > processes pass first, drop second. So that, the last rule
>         "pass any.."
>         > allows to every body.
>         >
>         > Can suricata run my rules as I wrote without reordering ?
>         
>         You also have some default ordering that can be further
>         configured in
>         suricata.yaml -
>         https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/suricata-2.0.11/entry/suricata.yaml.in#L1032
>         
>         
>         >
>         > Thanks
>         >
>         > # Ruleset for userGroup-25
>         > pass tls any any -> $userGroup-25 any (msg:"SSL Cert
>         Denied";
>         > tls.subject:"example.com"; sid:3230002; rev:1;)
>         > pass tls any any -> $userGroup-25 any (msg:"SSL Cert
>         Denied";
>         > tls.subject:"example.net"; sid:3230004; rev:1;)
>         > drop tcp any any -> $userGroup-25 any (msg:"Default Drop For
>         userGroup-25";
>         > sid:3230010; rev:1;)
>         >
>         > ...
>         > #Rules for other userGroups
>         > ...
>         >
>         > # Ruleset for Others
>         > drop tls any any -> any any (msg:"SSL Cert Denied";
>         > tls.subject:"example1.com"; sid:3230007; rev:1;)
>         > pass tcp any any -> any any (msg:"Default Pass";
>         sid:3230010; rev:1;)

pass tls any any -> any any (msg:"SSL Cert Denied";
tls.subject:!"example1.com"; sid:3230007; rev:1;)
 - notice the negation above

drop tls any any -> any any (msg:"SSL Cert Denied";
tls.subject:"example1.com"; sid:3230008; rev:1;)


>         >
>         > _______________________________________________
>         > Suricata IDS Users mailing list:
>         oisf-users at openinfosecfoundation.org
>         > Site: http://suricata-ids.org | Support:
>         http://suricata-ids.org/support/
>         > List:
>         https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>         > Suricata User Conference November 4 & 5 in Barcelona:
>         http://oisfevents.net
>         
>         
>         
>         --
>         Regards,
>         Peter Manev
> 
> 

-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list