Actions
Bug #3083
openDROP rule with "noalert"
Affected Versions:
Effort:
Difficulty:
Label:
Description
When the rule look like "drop ip 8.8.8.8 any <> $HOME_NET any (msg:"TEST"; priority:1; sid:999; noalert;)" no drops appears.
Actions
Added by Leonid Inodin over 6 years ago. Updated 2 months ago.
Description
When the rule look like "drop ip 8.8.8.8 any <> $HOME_NET any (msg:"TEST"; priority:1; sid:999; noalert;)" no drops appears.
Basically - you would like to have it dropped - but not log any events/alerts in the logs , correct ?
Yes, I would like to have drops, but no alerts logging. In fact, I just need not to log to drop.log, other logs don't have any sense for me.
Using af-packet ips or nfqueue ? What is your set up like?
Using af-packet mode. Interfaces config looks like:
%YAML 1.1This is related to #1888 where the same thing happened for the pass action.
Also keep in mind that drop.log will be removed in the near future: https://suricata-ids.org/about/deprecation-policy/