[Oisf-users] Suri-update Order of operations

Jason Ish ish at unx.ca
Tue May 8 03:27:26 UTC 2018

Hi Russel,

On Tue, 2018-05-08 at 15:08 +1200, Russell Fulton wrote:
> Hi
> It isn’t clear to me whether disable or enable get done first, nor
> could I find an option to control the order as there is in pulled
> pork.

It is pretty close to disable first, then enable. But we don't do a
single disable pass, then a disable pass, though that might be more

Basically for each rule we check if there is a matching disable,
disable if there is. Then check if there is a matching enable, enable
if there is. Then finally we check if there is a match "drop" filter to
turn the rule into a drop.

After that pass we run the modification filters.

Then finally we turn on rules that are required to meet the flowbit

Specifying the order was something I wanted to avoid, but it might be
inevitable. I think I was hoping to come up with a better solution
should it ever be a requirement.

Its all done around here https://github.com/OISF/suricata-update/blob/m

> I prefer doing disables first and then enables as this allows me to
> disable all “info” rules and then enable the small set I am
> interested in.  I do the same with policy

This should work as expected. If its not can you provide me with a
description of where its not doing what it should?

Also, I'll get to your other contribution soon.


More information about the Oisf-users mailing list