Project

General

Profile

Actions

Bug #2265

closed

pass rules not taken into account

Added by Julien Bachmann about 7 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

We are having a strange behavior w/ suricata 4.0.1 that already happened w/ 2.x : pass rules are properly loaded but they are not behaving as expected (ie. whitelisting their corresponding alerting rules for a specific host). The rules were working properly before upgrading to 4.0.1 but I couldn't exactly tell at which point we loose them.

Since we didn't changed the default setting in suricata.yaml, pass should be higher in priority than alert but we had to edit our rules and add 'priority:1' to make them work. As such, it does not seems to be an issue w/ the rules but priority between alert/pass.

Suricata 4.0.1 was running on an Ubuntu 16.04 up-to-date at the time of the errors.

Actions

Also available in: Atom PDF