Rules run out of order


I have a series of Suricata rules that (hypothetically) should run in a specific order.

pass http any any -> any any (msg:"rule 1"; content:"POST"; lua:postScript1.lua; sid:999991;)
pass http any any -> any any (msg:"rule 2"; content:"POST"; lua:postScript2.lua; sid:999992;)
alert http any any -> any any (msg:"rule 3"; content:"GET"; lua:getScript1.lua; sid:999993;)
reject http any any -> any any (msg:"rule 4"; content:"GET"; lua:postScript2.lua; sid:999994;)

I’ve modified suricata.yaml for the following action-order:

  • pass
  • alert
  • drop
  • reject

The problem is that it creates a race condition between the last two scripts. Based on output from those scripts to suricata.log, I surmise that the getScript1.lua is running before getScript2.lua, despite the fact that their actions are in a specific order.

How do I address this?