Actions
Bug #3083
openDROP rule with "noalert"
Affected Versions:
Effort:
Difficulty:
Label:
Description
When the rule look like "drop ip 8.8.8.8 any <> $HOME_NET any (msg:"TEST"; priority:1; sid:999; noalert;)" no drops appears.
Updated by Peter Manev over 5 years ago
Basically - you would like to have it dropped - but not log any events/alerts in the logs , correct ?
Updated by Leonid Inodin over 5 years ago
Yes, I would like to have drops, but no alerts logging. In fact, I just need not to log to drop.log, other logs don't have any sense for me.
Updated by Peter Manev over 5 years ago
Using af-packet ips or nfqueue ? What is your set up like?
Updated by Leonid Inodin over 5 years ago
Using af-packet mode. Interfaces config looks like:
%YAML 1.1---
- AUTOGENERATED by Stamus SELKS set up script
- Linux high speed capture support
af-packet: # Put default values here. These will be used for an interface that is not # in the list above.
- interface: default
#threads: auto
#use-mmap: no
#rollover: yes
#tpacket-v3: yes
- interface: eno2
threads: 8
cluster-id: 99
cluster-type: cluster_flow
defrag: no
use-mmap: yes
#mmap-locked: yes
tpacket-v3: no
ring-size: 8192
#block-size: 32768
#block-timeout: 10
#use-emergency-flush: yes
#checksum-checks: kernel
#bpf-filter: port 80 or udp
copy-mode: ips
copy-iface: enp179s0f0
- interface: enp179s0f0
threads: 8
cluster-id: 100
cluster-type: cluster_flow
defrag: no
use-mmap: yes
#mmap-locked: yes
tpacket-v3: no
ring-size: 8192
#block-size: 32768
#block-timeout: 10
#use-emergency-flush: yes
#checksum-checks: kernel
#bpf-filter: port 80 or udp
copy-mode: ips
copy-iface: eno2
Updated by Andreas Herz over 5 years ago
- Status changed from New to Assigned
- Assignee set to OISF Dev
- Target version set to TBD
This is related to #1888 where the same thing happened for the pass action.
Also keep in mind that drop.log will be removed in the near future: https://suricata-ids.org/about/deprecation-policy/
Actions