Project

General

Profile

Actions

Bug #4108

open

Rule reloading: Rules that change the action from alert to drop, or drop to alert don't have their action updated.

Added by Jason Ish almost 4 years ago. Updated 5 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Testing 4.1.9, 5.0.4 and 6.0.0 and all seem to be affected. To reproduce use a simple rule like:

drop icmp any any -> any any (msg:"DROP ICMP"; sid:100000000; rev:1;)

Start Suricata with a rule file like the above. Test that ICMP is dropped. Update rule to alert, send Suricata a reload-rules signal. Suricata will continue to drop ICMP. Rule reload completion was observed in Suricata output.

Same thing happens when rule starts as alert and is changed to drop.

Actions

Also available in: Atom PDF