Project

General

Profile

Actions

Support #3013

closed

The rules detect order

Added by John Smith over 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Affected Versions:
Label:

Description

Does suricata detect the rules which action is "pass" at first;Then the rules with "alert"\"drop"?
And if two rules have the same action like 'alert',suricata will detect the rule which have a small id?
I just want to known the order that how suricat detect the rules.
Please give me some suggestions,thank you very much!

Actions #1

Updated by Andreas Herz over 5 years ago

  • Assignee changed from Victor Julien to OISF Dev
  • Target version set to Support

Normally "pass" always comes before "alert" and "drop".
(for the order within alert rules itself I'm not sure if it can be predicted)

Actions #2

Updated by John Smith over 5 years ago

yes,if rules have a same proto,"pass" always comes before "alert" and "drop".
But when I use rules with different proto,it seems rules with "ip" have a first priority,then "tcp | udp",the last is "alproto".
So I want to known can I change the priority like "alproto","tcp | udp",the last is "ip".
If you have any good comments, thank you very much !

Actions #3

Updated by Andreas Herz over 5 years ago

  • Status changed from New to Feedback

I don't think there is a way to change that order, although I see that it might be relevant for the IPS mode where you want to drop traffic.

Actions #4

Updated by Victor Julien about 5 years ago

The file to look at is detect-engine-sigorder.c

Actions #5

Updated by Andreas Herz about 4 years ago

  • Status changed from Feedback to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF