Bug #2265
closed
pass rules not taken into account
Added by Julien Bachmann over 6 years ago.
Updated about 5 years ago.
Description
We are having a strange behavior w/ suricata 4.0.1 that already happened w/ 2.x : pass rules are properly loaded but they are not behaving as expected (ie. whitelisting their corresponding alerting rules for a specific host). The rules were working properly before upgrading to 4.0.1 but I couldn't exactly tell at which point we loose them.
Since we didn't changed the default setting in suricata.yaml, pass should be higher in priority than alert but we had to edit our rules and add 'priority:1' to make them work. As such, it does not seems to be an issue w/ the rules but priority between alert/pass.
Suricata 4.0.1 was running on an Ubuntu 16.04 up-to-date at the time of the errors.
Can you add a test case? What does your pass rule look like and what rule is not getting 'ignored'?
Example of alert rule : ETPRO 2803213 (alert udp any any -> ...), triggering for ip 10.1.1.10
Whitelisting it with : pass ip 10.1.1.10 any <> any any (msg:"pass traffic for fp rule"; sid:1;)
I have to add 'priority:1;' at the end of the pass rule for it to be effective
I can't reproduce this. Using a similar pair of rules it works as expected. Can you (privately) share a full test case of rules+pcap to show the issue?
Can't reproduce it in my lab either... I will try to reproduce it again in the environment I had the bug. Sorry about the delay.
- Assignee set to Julien Bachmann
- Target version set to TBD
did you have a chance to reproduce it?
Andreas Herz wrote:
did you have a chance to reproduce it?
Sorry for the late reply, all my apologies. We were not able to reproduce it and everything is fine since.
We can close this issue
- Status changed from New to Closed
Thank you for the feedback!
Closed as per request.
- Target version deleted (
TBD)
Also available in: Atom
PDF