Project

General

Profile

Bug #3083

DROP rule with "noalert"

Added by Leonid Inodin 3 months ago. Updated 3 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When the rule look like "drop ip 8.8.8.8 any <> $HOME_NET any (msg:"TEST"; priority:1; sid:999; noalert;)" no drops appears.

History

#1

Updated by Peter Manev 3 months ago

Basically - you would like to have it dropped - but not log any events/alerts in the logs , correct ?

#2

Updated by Leonid Inodin 3 months ago

Yes, I would like to have drops, but no alerts logging. In fact, I just need not to log to drop.log, other logs don't have any sense for me.

#3

Updated by Peter Manev 3 months ago

Using af-packet ips or nfqueue ? What is your set up like?

#4

Updated by Leonid Inodin 3 months ago

Using af-packet mode. Interfaces config looks like:

%YAML 1.1
---
  1. AUTOGENERATED by Stamus SELKS set up script
  2. Linux high speed capture support
    af-packet: # Put default values here. These will be used for an interface that is not # in the list above.
    - interface: default
    #threads: auto
    #use-mmap: no
    #rollover: yes
    #tpacket-v3: yes
    - interface: eno2
    threads: 8
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: no
    use-mmap: yes
    #mmap-locked: yes
    tpacket-v3: no
    ring-size: 8192
    #block-size: 32768
    #block-timeout: 10
    #use-emergency-flush: yes
    #checksum-checks: kernel
    #bpf-filter: port 80 or udp
    copy-mode: ips
    copy-iface: enp179s0f0
    - interface: enp179s0f0
    threads: 8
    cluster-id: 100
    cluster-type: cluster_flow
    defrag: no
    use-mmap: yes
    #mmap-locked: yes
    tpacket-v3: no
    ring-size: 8192
    #block-size: 32768
    #block-timeout: 10
    #use-emergency-flush: yes
    #checksum-checks: kernel
    #bpf-filter: port 80 or udp
    copy-mode: ips
    copy-iface: eno2
#5

Updated by Andreas Herz 3 months ago

  • Status changed from New to Assigned
  • Assignee set to OISF Dev
  • Target version set to TBD

This is related to #1888 where the same thing happened for the pass action.

Also keep in mind that drop.log will be removed in the near future: https://suricata-ids.org/about/deprecation-policy/

Also available in: Atom PDF