Alert rules still triggering after pass rules

Nathan_Riches · April 13, 2023, 10:26pm

I have the following rules in place in AWS Network Firewall:

pass tls any any -> any any (tls.sni; content: "collector-009.newrelic.com"; startswith; nocase; endswith; msg: "matching TLS allowlisted FQDNs"; priority: 1; sid: 10; rev: 1;)
alert tls any any -> any any ( msg:"INITIAL TLS egress to collect all outgoing traffic"; flow:to_server, established; sid: 1000002 ; rev:1; )

I was under the impression that any traffic to “collector-009.newrelic.com” would trigger the “pass” rule and therefore skip the “alert” rule. However, I am still seeing logs (alerts) showing “collector-009.newrelic.com” with the message from the alert rule. Why might this be? Am I missing something here?

Andreas_Herz · May 7, 2023, 10:15am

Can you post a full example of the EVE JSON output that still triggered the alert?

vjulien · May 7, 2023, 2:57pm

Seems like a duplicate of https://forum.suricata.io/t/alert-rules-still-triggering-after-pass-reject-rules/ ?

Topic		Replies	Views
Alert rules still triggering after pass/reject rules Help aws-network-firewall	4	1007	May 6, 2023
Confused on alert logging Help rules , suricata , aws-nfw , aws-network-firewall	1	171	December 1, 2023
Unexpectedly seeing alert records written to eve.json when pass rules are triggered Help	4	901	November 18, 2022
Except trusted IP Help	10	700	February 25, 2021
How to capture ALL internet-bound network traffic? Help aws-network-firewall	1	867	May 6, 2023

Alert rules still triggering after pass rules

Related topics