Project

General

Profile

Actions

Bug #1888

closed

noalert in a pass rule disables the rule

Added by Michael Knight over 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Found on v3.1.1 and v3.1.2

If you have rule such as the following, to bypass every other rule without generating any alerts:

pass ip any any -> any any (msg:"Bypass Suri";noalert; sid:1010000;)

it seems like rule does not work at all. For example, let's say you have only two rules, one of them is pass, the other one alerts when navigating to testmyids.com:

pass ip any any -> any any (msg:"Bypass Suri";noalert; sid:1010000;)
alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)

When you do a "curl testmyids.com" from a client behind the running Suricata gateway, attack-response rule triggers. I believe the aforementioned pass rule worked fine in v3.0.2. Currently, removing "noalert" makes the pass rule work properly, without generating any alerts.

Actions #1

Updated by Andreas Herz over 8 years ago

  • Assignee set to OISF Dev
  • Target version changed from 3.1.2 to TBD
Actions #2

Updated by Andreas Herz over 8 years ago

What IPS mode are you running? NFQUEUE maybe?

Actions #3

Updated by Michael Knight over 8 years ago

Yes, NFQ mode.

Actions #4

Updated by Andreas Herz over 8 years ago

  • Status changed from New to Assigned

This is confirmed for 3.0.2 as well.

AFAIK "pass" rules don't log, so using "noalert" shouldn't change anything but looks like it "disables" the "pass" rule.
Besides looking into the code why this happens there might also be a discussion how to handle those rules wrt logging. For pcap.log we have a honor-pass-rules value.

Actions #5

Updated by Victor Julien about 8 years ago

  • Target version changed from TBD to 70
Actions #6

Updated by Victor Julien over 7 years ago

  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from 70 to 4.0rc2
Actions #7

Updated by Victor Julien over 7 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF