Bug #1888
closednoalert in a pass rule disables the rule
Description
Found on v3.1.1 and v3.1.2
If you have rule such as the following, to bypass every other rule without generating any alerts:
pass ip any any -> any any (msg:"Bypass Suri";noalert; sid:1010000;)
it seems like rule does not work at all. For example, let's say you have only two rules, one of them is pass, the other one alerts when navigating to testmyids.com:
pass ip any any -> any any (msg:"Bypass Suri";noalert; sid:1010000;) alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
When you do a "curl testmyids.com" from a client behind the running Suricata gateway, attack-response rule triggers. I believe the aforementioned pass rule worked fine in v3.0.2. Currently, removing "noalert" makes the pass rule work properly, without generating any alerts.
Updated by Andreas Herz over 8 years ago
- Assignee set to OISF Dev
- Target version changed from 3.1.2 to TBD
Updated by Andreas Herz over 8 years ago
What IPS mode are you running? NFQUEUE maybe?
Updated by Andreas Herz over 8 years ago
- Status changed from New to Assigned
This is confirmed for 3.0.2 as well.
AFAIK "pass" rules don't log, so using "noalert" shouldn't change anything but looks like it "disables" the "pass" rule.
Besides looking into the code why this happens there might also be a discussion how to handle those rules wrt logging. For pcap.log we have a honor-pass-rules value.
Updated by Victor Julien about 8 years ago
- Target version changed from TBD to 70
Updated by Victor Julien over 7 years ago
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from 70 to 4.0rc2
Updated by Victor Julien over 7 years ago
- Status changed from Assigned to Closed