Project

General

Profile

Actions
Copy link

Bug #2338

closed
DC CT

multiple drop rules triggered for same packet

Bug #2338: multiple drop rules triggered for same packet

Added by Dan Collins over 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Community Ticket
Target version:
Support
Affected Versions:
Effort:
Difficulty:
Label:

Description

I may be wrong but I have read that once a drop rule was in effect, the packet doesn’t get processed any further down the chain.
I am using Suricata 4.0.1 with OPNsense using IPS/inline mode.
I am seeing multiple ET rules drop from the same packet in the logs quite frequently. My concern is some rules are alerts and some are drops and I have no idea which rule would be in effect. I assume the last rule, but I have no control over rule order.
Is Suricata suppose to work this way? Is there an option change I can make in suricata.yaml to stop this?

I have attached an example of two drop rules that matched the same packet.

Files

Download all files
IPS5.jpg (42.4 KB) IPS5.jpg Dan Collins, 12/07/2017 05:16 PM
IPS4.jpg (46.9 KB) IPS4.jpg Dan Collins, 12/07/2017 05:16 PM
IPS2.jpg (53.6 KB) IPS2.jpg Dan Collins, 12/19/2017 08:46 AM
Actions
Copy link

Also available in: PDF Atom