[Oisf-users] Rule Processing Order Issue
Victor Julien
lists at inliniac.net
Tue Jan 5 13:15:04 UTC 2016
On 02-01-16 07:24, Özkan KIRIK wrote:
> I have a trouble with suricata rule processing order. I'm trying to
> apply different policies to different users. My rules are as below. But
> suriacata processes pass first, drop second. So that, the last rule
> "pass any.." allows to every body.
>
> Can suricata run my rules as I wrote without reordering ?
>
> Thanks
>
> # Ruleset for userGroup-25
> pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";
> tls.subject:"example.com <http://example.com>"; sid:3230002; rev:1;)
> pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";
> tls.subject:"example.net <http://example.net>"; sid:3230004; rev:1;)
> drop tcp any any -> $userGroup-25 any (msg:"Default Drop For
> userGroup-25"; sid:3230010; rev:1;)
>
> ...
> #Rules for other userGroups
> ...
>
> # Ruleset for Others
> drop tls any any -> any any (msg:"SSL Cert Denied";
> tls.subject:"example1.com <http://example1.com>"; sid:3230007; rev:1;)
> pass tcp any any -> any any (msg:"Default Pass"; sid:3230010; rev:1;)
>
>
A trick to make this work could be to add explicit priorities to the
rules. E.g. priority:1;
Priority 1 is inspected before 2, 2 before 3, etc.
Feel free to open a feature request ticket for disabling the ordering
completely.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list