Project

General

Profile

Actions
Copy link

Bug #4108

open

Rule reloading: Rules that change the action from alert to drop, or drop to alert don't have their action updated.

Added by Jason Ish over 3 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
-
Affected Versions:
4.1.9, 5.0.4, 6.0.0
Effort:
Difficulty:
Label:

Description

Testing 4.1.9, 5.0.4 and 6.0.0 and all seem to be affected. To reproduce use a simple rule like:

drop icmp any any -> any any (msg:"DROP ICMP"; sid:100000000; rev:1;)

Start Suricata with a rule file like the above. Test that ICMP is dropped. Update rule to alert, send Suricata a reload-rules signal. Suricata will continue to drop ICMP. Rule reload completion was observed in Suricata output.

Same thing happens when rule starts as alert and is changed to drop.

Actions
Copy link
 #1

Updated by John Meyer over 3 years ago

To add to this:

This seems to only apply to traffic that has already matched the rule. As I test, I find that if I ping something from 10.10.10.33 to make the rule match, it still matches after a rule reload. However if I begin pinging from 10.10.10.44 after the reload, the reload has in fact worked as expected and pings are allowed or denied as per the rule.

Actions
Copy link

Also available in: Atom PDF