Alert rules still triggering after pass rules

Nathan_Riches · April 13, 2023, 10:26pm

I have the following rules in place in AWS Network Firewall:

pass tls any any -> any any (tls.sni; content: "collector-009.newrelic.com"; startswith; nocase; endswith; msg: "matching TLS allowlisted FQDNs"; priority: 1; sid: 10; rev: 1;)
alert tls any any -> any any ( msg:"INITIAL TLS egress to collect all outgoing traffic"; flow:to_server, established; sid: 1000002 ; rev:1; )

I was under the impression that any traffic to “collector-009.newrelic.com” would trigger the “pass” rule and therefore skip the “alert” rule. However, I am still seeing logs (alerts) showing “collector-009.newrelic.com” with the message from the alert rule. Why might this be? Am I missing something here?

Andreas_Herz · May 7, 2023, 10:15am

Can you post a full example of the EVE JSON output that still triggered the alert?

vjulien · May 7, 2023, 2:57pm

Seems like a duplicate of https://forum.suricata.io/t/alert-rules-still-triggering-after-pass-reject-rules/ ?

Topic		Replies	Views
Confused on alert logging Help rules , suricata , aws-nfw , aws-network-firewall	1	116	December 1, 2023
Except trusted IP Help	10	646	February 25, 2021
Query about custom rule	12	132	December 18, 2023
Question about SSH SCAN rule Help suricata	1	830	November 16, 2022
Any idea why rule is not working :)	1	482	November 17, 2022

Alert rules still triggering after pass rules

Related Topics