Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IDPS: replace current ruleset filter option with policy editor #4445

Closed
AdSchellevis opened this issue Nov 5, 2020 · 0 comments
Closed

IDPS: replace current ruleset filter option with policy editor #4445

AdSchellevis opened this issue Nov 5, 2020 · 0 comments
Assignees
@AdSchellevis
Labels
feature Adding new functionality

Comments

@AdSchellevis
Copy link
Member

Problem description

Suricata rules can contain metadata, which can identify the intended audience and purpose of rules (such as expected performance impact, cve's and applications involved, etc, etc).

Although you can already change policies on a per rule basis, this is often rather labor extensive and doesn't cope well with future changes. Using the metadata in the rules should ease maintenance.

While adding these policies it would be practical to move the existing "filter" construction available in the rulesets as well, to avoid confusion on what to set where (in which case as policy would just turn into a filter and action to perform).

Planned change

A new form containing a grid which contains policies in which case someone can select rules from one or multiple rulesets and a planned action to perform.

An example could be select all threads aimed at Adobe flash with critical severity and drop traffic when hit.

Since the current "drop" filter rules would evaluate as select all alert rules in file and drop traffic, it should be a rather easy migration
@AdSchellevis AdSchellevis added the feature Adding new functionality label Nov 5, 2020
@AdSchellevis AdSchellevis self-assigned this Nov 5, 2020
AdSchellevis added a commit that referenced this issue Nov 5, 2020
@AdSchellevis
IDPS: work in progress policy editor for #4445
766bd66
AdSchellevis added a commit that referenced this issue Nov 6, 2020
@AdSchellevis
IDS - work in progress policy editor for #4445
289da74 
o page render performance improvements
o layout rules section
AdSchellevis added a commit that referenced this issue Nov 8, 2020
@AdSchellevis
IDS: bugfix previous for for #4445
e00758a
AdSchellevis added a commit that referenced this issue Nov 9, 2020
@AdSchellevis
IDS: work in progress policy editor for #4445
a0c043e 
With this commit policies functionally work, but there's still some refactoring todo.
o migrate download filters to a policy
o remove download filter option
o point to policies in the download section
o (maybe) move single rule overwrites to policies as well.
AdSchellevis added a commit that referenced this issue Nov 23, 2020
@AdSchellevis
IDPS: deprecate filter option on file downloads in favour of new poli…
1221542 
…cy option. migrates exsting filters to policies while there. for #4445
AdSchellevis added a commit that referenced this issue Nov 23, 2020
@AdSchellevis
IDPS: bug in policy parser preventing ruleset filter to function. for #…
74a64ce 
…4445
AdSchellevis added a commit that referenced this issue Nov 28, 2020
@AdSchellevis
IDPS: deprecate filter option on file downloads in favour of new poli…
a7a3d1f 
…cy option. migrates exsting filters to policies while there. for #4445
AdSchellevis added a commit that referenced this issue Nov 28, 2020
@AdSchellevis
IDPS: bug in policy parser preventing ruleset filter to function. for #…
323cbfd 
…4445
AdSchellevis added a commit that referenced this issue Dec 8, 2020
@AdSchellevis
IDPS: minor fixes and improvements for new policy feature (#4445).
be13b6f 
o feedback matched policy so we can easily find affective choice in the rule tab
o remove installed_action, installed_status since these values aren't valid anymore
o while here, set <pre/> tag width to a maximum to avoid overflow in alert page

Since values need to be persisted in order to return on query requests, single rule edits can lead to a bit odd behaviour (not toggling until after apply), since modifications are advised to be performed using policies, we will keep this for now.
(the alternative is to hook apply after these changes, which also isn't a great solution)
oshogbo pushed a commit to DynFi/opnsense-core that referenced this issue Mar 3, 2022
@AdSchellevis
IDPS: work in progress policy editor for opnsense/core#4445
5a7c76d
oshogbo pushed a commit to DynFi/opnsense-core that referenced this issue Mar 3, 2022
@AdSchellevis
IDS - work in progress policy editor for opnsense/core#4445
f480c33 
o page render performance improvements
o layout rules section
oshogbo pushed a commit to DynFi/opnsense-core that referenced this issue Mar 3, 2022
@AdSchellevis
IDS: bugfix previous for for opnsense/core#4445
2878c34
oshogbo pushed a commit to DynFi/opnsense-core that referenced this issue Mar 3, 2022
@AdSchellevis
IDS: work in progress policy editor for opnsense/core#4445
1858127 
With this commit policies functionally work, but there's still some refactoring todo.
o migrate download filters to a policy
o remove download filter option
o point to policies in the download section
o (maybe) move single rule overwrites to policies as well.
oshogbo pushed a commit to DynFi/opnsense-core that referenced this issue Mar 3, 2022
@AdSchellevis
IDPS: deprecate filter option on file downloads in favour of new poli…
85e5360 
…cy option. migrates exsting filters to policies while there. for opnsense/core#4445
oshogbo pushed a commit to DynFi/opnsense-core that referenced this issue Mar 3, 2022
@AdSchellevis
IDPS: deprecate filter option on file downloads in favour of new poli…
bab4b40 
…cy option. migrates exsting filters to policies while there. for opnsense/core#4445
oshogbo pushed a commit to DynFi/opnsense-core that referenced this issue Mar 3, 2022
@AdSchellevis
IDPS: bug in policy parser preventing ruleset filter to function. for o…
bb0ddb4 
…pnsense/core#4445
oshogbo pushed a commit to DynFi/opnsense-core that referenced this issue Mar 3, 2022
@AdSchellevis
IDPS: bug in policy parser preventing ruleset filter to function. for o…
2a1a1dc 
…pnsense/core#4445
oshogbo pushed a commit to DynFi/opnsense-core that referenced this issue Mar 3, 2022
@AdSchellevis
IDPS: minor fixes and improvements for new policy feature (opnsense/c…
4089f8f 
…ore#4445).

o feedback matched policy so we can easily find affective choice in the rule tab
o remove installed_action, installed_status since these values aren't valid anymore
o while here, set <pre/> tag width to a maximum to avoid overflow in alert page

Since values need to be persisted in order to return on query requests, single rule edits can lead to a bit odd behaviour (not toggling until after apply), since modifications are advised to be performed using policies, we will keep this for now.
(the alternative is to hook apply after these changes, which also isn't a great solution)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
feature Adding new functionality
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AdSchellevis