New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IDS: Add checkbox for exception-policy #7271
Conversation
defaults in their documentation seem to be rather convoluted this release, not sure what happened there, but for now I prefer setting these values to their advertised defaults to prevent issues and additional user interaction. If at one point we do want to offer access to these parameters, we should add all possible options instead of a checkbox anyway. For reference, the sample yaml also seems to suggest ignore as being default (an not needed to set): I'll close this ticket with a commit to set it to the default, next it might also be a good idea to compare differences between our default yaml and theirs, but that's probably for a next minor release. |
@mimugmail @AdSchellevis Hi |
@kulikov-a I'm not sure that's needed now as we also added ce87c2f and 0d676c7 to ignore midstream exceptions. Are there know cases where this 9b82093 doesn't fix the current issues? |
no actually. just a precaution in case the memcap hit |
…recaution as suggested by @kulikov-a in #7271
@kulikov-a Maybe we should go in phases then, 4cf6870 aligns the |
@AdSchellevis sounds logical ) Thanks! |
…recaution as suggested by @kulikov-a in #7271 (cherry picked from commit 36b2b66)
…recaution as suggested by @kulikov-a in #7271
Hi,
Suricata 7 added exeception policies:
https://docs.suricata.io/en/latest/configuration/exception-policies.html#exception-policies
When just upgrading to 24.1.2 there is no entry in suricata.yml which seems to activate this feature:
https://forum.suricata.io/t/my-traffic-gets-blocked-after-upgrading-to-suricata-7/3745
Two confirmations that when adding it to custom.yml it seems to work again in Suricata 6 behavior:
https://forum.opnsense.org/index.php?topic=38961.0
https://forum.opnsense.org/index.php?topic=38944.0
There might arise more problems e.g. when running openvpn on port 443 as it also does not speak https.
Nonetheless, in the official documentation it states that the default is ignore but it only seems to act like v6 when adding it explicitly, so maybe we can also set it to enabled by default, or just activate it in suricata.yml without a knob and let the decision up to you guys :)
https://docs.suricata.io/en/latest/configuration/exception-policies.html#exception-policies