[Oisf-users] Suri-update Order of operations
Jason Ish
ish at unx.ca
Tue May 8 03:27:26 UTC 2018
Hi Russel,
On Tue, 2018-05-08 at 15:08 +1200, Russell Fulton wrote:
> Hi
>
> It isn’t clear to me whether disable or enable get done first, nor
> could I find an option to control the order as there is in pulled
> pork.
It is pretty close to disable first, then enable. But we don't do a
single disable pass, then a disable pass, though that might be more
efficient.
Basically for each rule we check if there is a matching disable,
disable if there is. Then check if there is a matching enable, enable
if there is. Then finally we check if there is a match "drop" filter to
turn the rule into a drop.
After that pass we run the modification filters.
Then finally we turn on rules that are required to meet the flowbit
requirements.
Specifying the order was something I wanted to avoid, but it might be
inevitable. I think I was hoping to come up with a better solution
should it ever be a requirement.
Its all done around here https://github.com/OISF/suricata-update/blob/m
aster/suricata/update/main.py#L1309
>
> I prefer doing disables first and then enables as this allows me to
> disable all “info” rules and then enable the small set I am
> interested in. I do the same with policy
This should work as expected. If its not can you provide me with a
description of where its not doing what it should?
Also, I'll get to your other contribution soon.
Thanks,
Jason
More information about the Oisf-users
mailing list