Hey everyone,
I am currently working with other people on some Suricata rules and their behavior. Let’s say we have the following rule:
alert ip !172.20.0.90 any → !82.118.200.187 any (sid: 1000;)
I was told that this rule is supposed to match not only of IPv4 traffic which do not have the mentioned source or destination, but also on IPv6 traffic. However, I could not reproduce this on my local Suricata installation. No IPv6 traffic I tried was matched with this rule, but plenty of IPv4 traffic. Can someone please clarify for me what the expected behavior of this rule is? Is the behavior I found correct, or am I missing something and the rule can also match on IPv6?