Project

General

Profile

Bug #6663

Updated by Erik Sørli 4 months ago

h3. Description 

 description 
 Considering the following rule, containing a config rule that when matches changes the configuration of a flow does not disable logging of traffic in Suricata: 

 
 @ 
 config dns $IGNORE_DNS_CLIENT any -> any any (msg: "dns traffic disable"; config: logging disable, type tx, scope tx; flowbits: set, dns_traffic_disable; sid:1; rev:1;) 

 
 @ 
 h1. Current behaviour 

 
 When testing the disable logging functionality running suricata 7.0.2, the suricata engine does not disable transaction logging of the traffic defined in the config rule. When looking through the source code, the following code snippet does not handle flow logic as well: 

 
 @ 
     if (this_tx) { 
 
         SCLogDebug("tx logic here: tx_id %"PRIu64, det_ctx->tx_id); 
 
         ConfigApplyTx(p->flow, det_ctx->tx_id, config); 
 
     } else if (this_flow) { 
 
         SCLogDebug("flow logic here"); 
     } 
 } 

 @ 
 h1. Expected behaviour 

 
 Later versions of suricata is supposed to allow config rules, that when matching changes the configuration for a flow, transaction, packet or other unit, disabling records of eve.json and LUA output. 

 h1. Notes 

 
 The rules does match the traffic, as it does tag the flow with the flowbit defined in the config rule, however as mentioned still logs the traffic in the eve.json file. 
 A pcap file is also added to ease replication of the issue. 

Back