[Oisf-users] Rule Processing Order Issue
Özkan KIRIK
ozkan.kirik at gmail.com
Tue Jan 5 17:34:30 UTC 2016
Thank you Victor,
I opened a Feature request.
On Tue, Jan 5, 2016 at 3:15 PM, Victor Julien <lists at inliniac.net> wrote:
> On 02-01-16 07:24, Özkan KIRIK wrote:
> > I have a trouble with suricata rule processing order. I'm trying to
> > apply different policies to different users. My rules are as below. But
> > suriacata processes pass first, drop second. So that, the last rule
> > "pass any.." allows to every body.
> >
> > Can suricata run my rules as I wrote without reordering ?
> >
> > Thanks
> >
> > # Ruleset for userGroup-25
> > pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";
> > tls.subject:"example.com <http://example.com>"; sid:3230002; rev:1;)
> > pass tls any any -> $userGroup-25 any (msg:"SSL Cert Denied";
> > tls.subject:"example.net <http://example.net>"; sid:3230004; rev:1;)
> > drop tcp any any -> $userGroup-25 any (msg:"Default Drop For
> > userGroup-25"; sid:3230010; rev:1;)
> >
> > ...
> > #Rules for other userGroups
> > ...
> >
> > # Ruleset for Others
> > drop tls any any -> any any (msg:"SSL Cert Denied";
> > tls.subject:"example1.com <http://example1.com>"; sid:3230007; rev:1;)
> > pass tcp any any -> any any (msg:"Default Pass"; sid:3230010; rev:1;)
> >
> >
>
> A trick to make this work could be to add explicit priorities to the
> rules. E.g. priority:1;
>
> Priority 1 is inspected before 2, 2 before 3, etc.
>
> Feel free to open a feature request ticket for disabling the ordering
> completely.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160105/3fda966b/attachment-0002.html>
More information about the Oisf-users
mailing list