Description¶

Considering the following rule, containing a config rule that when matches changes the configuration of a flow does not disable logging of traffic in Suricata:

config dns $IGNORE_DNS_CLIENT any -> any any (msg: "dns traffic disable"; config: logging disable, type tx, scope tx; flowbits: set, dns_traffic_disable; sid:1; rev:1;)

Current behaviour¶

When testing the disable logging functionality running suricata 7.0.2, the suricata engine does not disable transaction logging of the traffic defined in the config rule. When looking through the source code, the following code snippet does not handle flow logic as well:

if (this_tx) {
SCLogDebug("tx logic here: tx_id %"PRIu64, det_ctx->tx_id);
ConfigApplyTx(p->flow, det_ctx->tx_id, config);
} else if (this_flow) {
SCLogDebug("flow logic here");
}

Expected behaviour¶

Later versions of suricata is supposed to allow config rules, that when matching changes the configuration for a flow, transaction, packet or other unit, disabling records of eve.json and LUA output.

Notes¶

The rules does match the traffic, as it does tag the flow with the flowbit defined in the config rule, however as mentioned still logs the traffic in the eve.json file.
A pcap file is also added to ease replication of the issue.