Bug #2265
closedpass rules not taken into account
Description
We are having a strange behavior w/ suricata 4.0.1 that already happened w/ 2.x : pass rules are properly loaded but they are not behaving as expected (ie. whitelisting their corresponding alerting rules for a specific host). The rules were working properly before upgrading to 4.0.1 but I couldn't exactly tell at which point we loose them.
Since we didn't changed the default setting in suricata.yaml, pass should be higher in priority than alert but we had to edit our rules and add 'priority:1' to make them work. As such, it does not seems to be an issue w/ the rules but priority between alert/pass.
Suricata 4.0.1 was running on an Ubuntu 16.04 up-to-date at the time of the errors.
Updated by Victor Julien almost 7 years ago
Can you add a test case? What does your pass rule look like and what rule is not getting 'ignored'?
Updated by Julien Bachmann almost 7 years ago
Example of alert rule : ETPRO 2803213 (alert udp any any -> ...), triggering for ip 10.1.1.10
Whitelisting it with : pass ip 10.1.1.10 any <> any any (msg:"pass traffic for fp rule"; sid:1;)
I have to add 'priority:1;' at the end of the pass rule for it to be effective
Updated by Victor Julien almost 7 years ago
I can't reproduce this. Using a similar pair of rules it works as expected. Can you (privately) share a full test case of rules+pcap to show the issue?
Updated by Julien Bachmann almost 7 years ago
Can't reproduce it in my lab either... I will try to reproduce it again in the environment I had the bug. Sorry about the delay.
Updated by Andreas Herz almost 7 years ago
- Assignee set to Julien Bachmann
- Target version set to TBD
did you have a chance to reproduce it?
Updated by Julien Bachmann almost 7 years ago
Andreas Herz wrote:
did you have a chance to reproduce it?
Sorry for the late reply, all my apologies. We were not able to reproduce it and everything is fine since.
We can close this issue
Updated by Peter Manev almost 7 years ago
- Status changed from New to Closed
Thank you for the feedback!
Closed as per request.