https://suricata.readthedocs.io/en/suricata-6.0.0/configuration/suricata-yaml.html
From the above mentioned doc
Rules will be loaded in the order of which they appear in files. But they will be processed in a different order. Signatures have different priorities. The most important signatures will be scanned first. There is a possibility to change the order of priority. The default order is: pass, drop, reject, alert.
Do we have any examples for the signature ? The reason I ask is i did the below rule
pass http $HOME_NET any → $EXTERNAL_NET any (http.host; dotprefix; content:".example.com"; endswith; msg:“Allowed HTTP domain”; priority:10; sid:102120; rev:1;)
pass tcp any any → any 22 (msg:“Allow ssh traffic”; sid:102121; rev:1;)
drop tcp any any → any any (msg:“Drop tcp traffic”; flow:established; sid:102122; priority:12; rev:1;)
pass http $HOME_NET any → $EXTERNAL_NET any (http.host; dotprefix; content:".example.com"; endswith; msg:“Allowed HTTP domain”; priority:10; sid:102120; rev:1;)
pass tcp any any → any 22 (msg:“Allow ssh traffic”; sid:102121; rev:1;)
drop tcp any any → any any (msg:“Drop tcp traffic”; flow:established; sid:102122; priority:2; rev:1;)
both the rule drops the tcp traffic and flow bit is not considered. the moment i change the source ip from any to $HOME_NET it starts to work and flow is considered.
Am i missing something?