Bug #3083
closedDROP rule with "noalert"
Description
When the rule look like "drop ip 8.8.8.8 any <> $HOME_NET any (msg:"TEST"; priority:1; sid:999; noalert;)" no drops appears.
PM Updated by Peter Manev almost 7 years ago
Basically - you would like to have it dropped - but not log any events/alerts in the logs , correct ?
LI Updated by Leonid Inodin almost 7 years ago
Yes, I would like to have drops, but no alerts logging. In fact, I just need not to log to drop.log, other logs don't have any sense for me.
PM Updated by Peter Manev almost 7 years ago
Using af-packet ips or nfqueue ? What is your set up like?
LI Updated by Leonid Inodin almost 7 years ago
Using af-packet mode. Interfaces config looks like:
%YAML 1.1---
- AUTOGENERATED by Stamus SELKS set up script
- Linux high speed capture support
af-packet: # Put default values here. These will be used for an interface that is not # in the list above.
- interface: default
#threads: auto
#use-mmap: no
#rollover: yes
#tpacket-v3: yes
- interface: eno2
threads: 8
cluster-id: 99
cluster-type: cluster_flow
defrag: no
use-mmap: yes
#mmap-locked: yes
tpacket-v3: no
ring-size: 8192
#block-size: 32768
#block-timeout: 10
#use-emergency-flush: yes
#checksum-checks: kernel
#bpf-filter: port 80 or udp
copy-mode: ips
copy-iface: enp179s0f0
- interface: enp179s0f0
threads: 8
cluster-id: 100
cluster-type: cluster_flow
defrag: no
use-mmap: yes
#mmap-locked: yes
tpacket-v3: no
ring-size: 8192
#block-size: 32768
#block-timeout: 10
#use-emergency-flush: yes
#checksum-checks: kernel
#bpf-filter: port 80 or udp
copy-mode: ips
copy-iface: eno2
AH Updated by Andreas Herz over 6 years ago
- Status changed from New to Assigned
- Assignee set to OISF Dev
- Target version set to TBD
This is related to #1888 where the same thing happened for the pass action.
Also keep in mind that drop.log will be removed in the near future: https://suricata-ids.org/about/deprecation-policy/
JF Updated by Juliana Fajardini Reichow 9 months ago
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
JF Updated by Juliana Fajardini Reichow 8 months ago
- Target version changed from TBD to 9.0.0-beta1
JF Updated by Juliana Fajardini Reichow about 2 months ago
Start by adding an SV test for this... Drop would be shown by stats counter and verdict.
JF Updated by Juliana Fajardini Reichow about 2 months ago
Checking test bug-4663 (cf file https://github.com/OISF/suricata-verify/blob/master/tests/bug-4663/test.yaml ), it seems that this is resolved...
JF Updated by Juliana Fajardini Reichow about 2 months ago
- Status changed from Assigned to Closed
Bug #4663 fix (https://github.com/OISF/suricata/pull/6368/changes/02c60991a1dbc3f2b5e6f6a427e1577b2c54dd1a) seems to fix this for Suricata 7. It was then backported to versions 5 and 6. So, from my understanding, this issue is fixed for all supported versions.
The test linked on the previous note covers this, as it uses the noalert keyword, and checks that indeed no alert output is generated.
JF Updated by Juliana Fajardini Reichow about 2 months ago
- Related to Bug #4663: rules: drop rules with noalert not fully dropping added