Support #3251
closed
Added by Dan Collins about 5 years ago.
Updated almost 3 years ago.
Description
When using bypass in an alert rule, do the default action-order rules still apply where pass and drop are done before the alert bypass is done? or does bypass override other actions. I could not find an answer to this in any documentation.
Should I change the action-order so alerts come before drop. I only use my one custom rule where drop drops anything not passed in a pass or bypass rule.
What I am seeing now is the bypass rule and the drop rule in the log for the same packet.
- Assignee set to Community Ticket
- Target version set to Support
The action order - https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1074 - is for the "pass" action - and the default is for "pass" to come before "alert". Then for example you could skip inspection for the match of that specific rule.
You are mentioning "bypass" - are you using the bypass keyword or the "pass" action for the rule (or both) ? Do you mind sharing the rule?
Peter Manev wrote:
The action order - https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1074 - is for the "pass" action - and the default is for "pass" to come before "alert". Then for example you could skip inspection for the match of that specific rule.
You are mentioning "bypass" - are you using the bypass keyword or the "pass" action for the rule (or both) ? Do you mind sharing the rule?
My question is for the use of bypass in a rule such as this one
alert tcp $HOME_NET any -> any any (msg:"Home pass"; bypass; sid:9900002; rev:1;)
Does the action-order apply here?
The action order here is for "alert" , so the defaults in yaml should apply. If you want to maximize the bypass you can use
pass tcp $HOME_NET any -> any any (msg:"Home pass"; bypass; sid:9900002; rev:1;)
Peter Manev wrote:
The action order here is for "alert" , so the defaults in yaml should apply. If you want to maximize the bypass you can use
[...]
From everything I could find about 'bypass' in a rule was it can only be used in an alert and only with TCP. Is that not correct?
And if I use pass. what is the advantage to using bypass rather than just a plain pass statement?
- Status changed from New to Closed
Also available in: Atom
PDF