Project

General

Profile

Actions

Bug #6663

open

Config rules does not disable logging.

Added by Erik Sørli 10 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Description

Considering the following rule, containing a config rule that when matches changes the configuration of a flow does not disable logging of traffic in Suricata:

config dns $IGNORE_DNS_CLIENT any -> any any (msg: "dns traffic disable"; config: logging disable, type tx, scope tx; flowbits: set, dns_traffic_disable; sid:1; rev:1;)

Current behaviour

When testing the disable logging functionality running suricata 7.0.2, the suricata engine does not disable transaction logging of the traffic defined in the config rule. When looking through the source code, the following code snippet does not handle flow logic as well:

if (this_tx) {
SCLogDebug("tx logic here: tx_id %"PRIu64, det_ctx->tx_id);
ConfigApplyTx(p->flow, det_ctx->tx_id, config);
} else if (this_flow) {
SCLogDebug("flow logic here");
}

Expected behaviour

Later versions of suricata is supposed to allow config rules, that when matching changes the configuration for a flow, transaction, packet or other unit, disabling records of eve.json and LUA output.

Notes

The rules does match the traffic, as it does tag the flow with the flowbit defined in the config rule, however as mentioned still logs the traffic in the eve.json file.
A pcap file is also added to ease replication of the issue.


Files

temp.pcapng (11.3 MB) temp.pcapng Erik Sørli, 01/05/2024 07:35 AM
Actions

Also available in: Atom PDF