Project

General

Profile

Actions

Feature #5466

closed

detect: allow alert-then-pass logic

Added by Victor Julien over 2 years ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Currently pass acts as a noalert rule that stops further alerting.

Some usecases have been identified in which ppl want a "alert then pass" in a single rule. Currently they are forced to express this in 2 rules, an alert rule and a pass rule, where the action order and or priorities needs to be setup such that the alert rule is evaluated first.

We do support the following: alert .... (bypass; ...).

I think we could extend the config rule keyword for this.

E.g. something like:
alert ... (config:logging disable, type alert, scope flow;)

The behavior would still need to log the current alert, so it needs a bit of thought on how to express this.


Subtasks 1 (0 open1 closed)

Feature #6674: detect: allow alert-then-pass logic (7.0.x backport)ClosedVictor JulienActions

Related issues 1 (0 open1 closed)

Related to Suricata - Documentation #6685: userguide: explain noalert keywordClosedJeff LucovskyActions
Actions #1

Updated by Jason Ish about 2 years ago

One thought, a companion keyword to noalert: alert.

pass ftp a b -> c d (msg:"LOG This as a reason why the flow passed"; alert; ...;)
Actions #2

Updated by Shivani Bhardwaj almost 2 years ago

I like Jason's idea. Other thoughts:

1. config:action pass, type alert, scope flow Not sure if adding more than logging subsystem to config would be too much pain though.
2. new keyword to define next action post match. action:pass which sets the rule's action to the defined action after executing the current defined action on the rule. (perhaps some other name to avoid confusion with the logs)

Actions #3

Updated by Juliana Fajardini Reichow over 1 year ago

As a first solution, think of achieving this as a configuration option to log `PASS` rules to the alert eve type.

Actions #4

Updated by Juliana Fajardini Reichow over 1 year ago

  • Target version changed from TBD to 7.0.0-rc2
Actions #5

Updated by Juliana Fajardini Reichow over 1 year ago

  • Target version changed from 7.0.0-rc2 to 8.0.0-beta1
Actions #6

Updated by Victor Julien 12 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Label Needs backport to 7.0 added
Actions #7

Updated by OISF Ticketbot 12 months ago

  • Subtask #6674 added
Actions #8

Updated by OISF Ticketbot 12 months ago

  • Label deleted (Needs backport to 7.0)
Actions #9

Updated by Victor Julien 11 months ago

  • Status changed from Assigned to In Review
Actions #10

Updated by Juliana Fajardini Reichow 11 months ago

Actions #12

Updated by Victor Julien 6 months ago

  • Status changed from In Review to Resolved
Actions #13

Updated by Victor Julien 6 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF