Feature #5466: detect: allow alert-then-pass logic - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #5466

closed

detect: allow alert-then-pass logic

Added by Victor Julien over 2 years ago. Updated 4 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

8.0.0-beta1

Effort:

Difficulty:

Label:

Description

Currently pass acts as a noalert rule that stops further alerting.

Some usecases have been identified in which ppl want a "alert then pass" in a single rule. Currently they are forced to express this in 2 rules, an alert rule and a pass rule, where the action order and or priorities needs to be setup such that the alert rule is evaluated first.

We do support the following: alert .... (bypass; ...).

I think we could extend the config rule keyword for this.

E.g. something like:
alert ... (config:logging disable, type alert, scope flow;)

The behavior would still need to log the current alert, so it needs a bit of thought on how to express this.

Subtasks 1 (0 open — 1 closed)

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #5466

detect: allow alert-then-pass logic

Updated by Jason Ish almost 2 years ago

Updated by Shivani Bhardwaj almost 2 years ago

Updated by Juliana Fajardini Reichow over 1 year ago

Updated by Juliana Fajardini Reichow over 1 year ago

Updated by Juliana Fajardini Reichow over 1 year ago

Updated by Victor Julien 10 months ago

Updated by OISF Ticketbot 10 months ago

Updated by OISF Ticketbot 10 months ago

Updated by Victor Julien 10 months ago

Updated by Juliana Fajardini Reichow 10 months ago

Updated by Juliana Fajardini Reichow 6 months ago

Updated by Victor Julien 5 months ago

Updated by Victor Julien 4 months ago