Suricata

Found on v3.1.1 and v3.1.2

If you have rule such as the following, to bypass every other rule without generating any alerts:

pass ip any any -> any any (msg:"Bypass Suri";noalert; sid:1010000;)

it seems like rule does not work at all. For example, let's say you have only two rules, one of them is pass, the other one alerts when navigating to testmyids.com:

pass ip any any -> any any (msg:"Bypass Suri";noalert; sid:1010000;)
alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)

When you do a "curl testmyids.com" from a client behind the running Suricata gateway, attack-response rule triggers. I believe the aforementioned pass rule worked fine in v3.0.2. Currently, removing "noalert" makes the pass rule work properly, without generating any alerts.