Hello,
I have a series of Suricata rules that (hypothetically) should run in a specific order.
pass http any any -> any any (msg:"rule 1"; content:"POST"; lua:postScript1.lua; sid:999991;)
pass http any any -> any any (msg:"rule 2"; content:"POST"; lua:postScript2.lua; sid:999992;)
alert http any any -> any any (msg:"rule 3"; content:"GET"; lua:getScript1.lua; sid:999993;)
reject http any any -> any any (msg:"rule 4"; content:"GET"; lua:postScript2.lua; sid:999994;)
I’ve modified suricata.yaml for the following action-order:
- pass
- alert
- drop
- reject
The problem is that it creates a race condition between the last two scripts. Based on output from those scripts to suricata.log, I surmise that the getScript1.lua is running before getScript2.lua, despite the fact that their actions are in a specific order.
How do I address this?