Bug #2265: pass rules not taken into account - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2265

closed

pass rules not taken into account

Added by Julien Bachmann over 6 years ago. Updated about 5 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Julien Bachmann

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

We are having a strange behavior w/ suricata 4.0.1 that already happened w/ 2.x : pass rules are properly loaded but they are not behaving as expected (ie. whitelisting their corresponding alerting rules for a specific host). The rules were working properly before upgrading to 4.0.1 but I couldn't exactly tell at which point we loose them.

Since we didn't changed the default setting in suricata.yaml, pass should be higher in priority than alert but we had to edit our rules and add 'priority:1' to make them work. As such, it does not seems to be an issue w/ the rules but priority between alert/pass.

Suricata 4.0.1 was running on an Ubuntu 16.04 up-to-date at the time of the errors.

Actions

Copy link

Updated by Victor Julien over 6 years ago

Can you add a test case? What does your pass rule look like and what rule is not getting 'ignored'?

Actions

Copy link

Updated by Julien Bachmann over 6 years ago

Example of alert rule : ETPRO 2803213 (alert udp any any -> ...), triggering for ip 10.1.1.10
Whitelisting it with : pass ip 10.1.1.10 any <> any any (msg:"pass traffic for fp rule"; sid:1;)
I have to add 'priority:1;' at the end of the pass rule for it to be effective

Actions

Copy link

Updated by Victor Julien over 6 years ago

I can't reproduce this. Using a similar pair of rules it works as expected. Can you (privately) share a full test case of rules+pcap to show the issue?

Actions

Copy link