Pass Rule Action

Hello all,
This is my first entry and really beginner at suricata. If my question is silly sorry about that. My suricata version is [5.0.4_2]. I want to know something. I was trying to write simple pass, drop action.
Here these rules;
pass any any → any any (msg:“all pass”; sid:1;)
drop tcp any → any any (msg:“facebook blocked”; content:“f|61|cebook”; sid:3;)

what I expect according to the rules is that will pass all packages. But network is banned in facebook rule. On the other hand, is in this network, but in the pass rule, which is the priority, all internet is allowed. So all IPs will be blocked except The problem is blocking including Shouldn’t be dropped , what am I missing?

Hi Ercan, welcome to our forum.

There are no silly questions. We are all on different points of our learning journeys :wink:

One suggestion, unrelated to your question: if you can, we recommend that you update your Suricata to a newer version, as there are usually bug fixes and improvements - plus, we don’t support suri 5 anymore.

One thing that may influence how the rules are processed is the action order (which you’ll find in your suricata.yaml file - 10.1. Suricata.yaml — Suricata 7.0.0-dev documentation).

Depending on what order you have configured there, a drop rule may have a higher priority, so that could cause the packet to be firstly processed and has this drop rule triggered, and even if the pass rule is triggered, it may have a lower priority to Suricata, so the pass rule won’t change the drop decision.

The fact that one rule has a content inspection and the other doesn’t, could also influence rule’s priority, making the drop rule have a higher priority, and thus Suricata not applying the pass action to a packet that had already triggered the drop rule.

I know this isn’t a complete answer, but I hope that this could shed some light…

I have edited this post to try to make it more evident that action priority varies depending on what one has configured in their local suricata.yaml file (thanks to Jeff for bringing to my attention that the previous version was unclear on that topic!!).

It is also important to highlight the fact that the action order of priorities is just one of the elements that could influence rule prioritization. And that it is unclear to me if that’s what’s causing the issue that you’re seeing…

I’m sorry for the late reply. I figured the problem out what actually is. It was just quotes :smiley: . it has to be normal quotes. But mines are modified, a little fancy. I changed quotes. everything started working fine.

1 Like

OH! Should have noticed that.

By the way, this is a great opportunity to share the Suricata Language Server, developed by Mr Eric Leblond, from Stamus Networks and OISF: GitHub - StamusNetworks/suricata-language-server: Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures. It adds syntax check, hints and auto-completion to your preferred editor once it is configured.

It will help you catch typos like those, and even offer keyword suggestions or improvements :slight_smile: