Feature #5466: detect: allow alert-then-pass logic - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #5466

closed

VJ VJ

detect: allow alert-then-pass logic

Feature #5466: detect: allow alert-then-pass logic

Added by Victor Julien over 3 years ago. Updated almost 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

8.0.0-beta1

Effort:

Difficulty:

Label:

Description

Currently pass acts as a noalert rule that stops further alerting.

Some usecases have been identified in which ppl want a "alert then pass" in a single rule. Currently they are forced to express this in 2 rules, an alert rule and a pass rule, where the action order and or priorities needs to be setup such that the alert rule is evaluated first.

We do support the following: alert .... (bypass; ...).

I think we could extend the config rule keyword for this.

E.g. something like:
alert ... (config:logging disable, type alert, scope flow;)

The behavior would still need to log the current alert, so it needs a bit of thought on how to express this.

Subtasks 1 (0 open — 1 closed)

Related issues 1 (0 open — 1 closed)

JI Updated by Jason Ish over 3 years ago Actions
Copy link
#1

One thought, a companion keyword to noalert: alert.

pass ftp a b -> c d (msg:"LOG This as a reason why the flow passed"; alert; ...;)

SB Updated by Shivani Bhardwaj over 3 years ago Actions
Copy link
#2

I like Jason's idea. Other thoughts:

1. config:action pass, type alert, scope flow Not sure if adding more than logging subsystem to config would be too much pain though.
2. new keyword to define next action post match. action:pass which sets the rule's action to the defined action after executing the current defined action on the rule. (perhaps some other name to avoid confusion with the logs)