Unexpectedly seeing alert records written to eve.json when pass rules are triggered

Should Suricata 6.0.8 write “alert” records to eve.json when a NIDS “pass” rule is triggered. We are unexpectedly seeing this in multiple environments. Is this by design?

from suricata.yaml

  • eve-log:
    enabled: ‘yes’
    filetype: regular
    filename: /nsm/eve-%Y-%m-%d-%H:%M.json
    rotate-interval: hour
    pcap-file: false
    community-id: true
    community-id-seed: 0
    enabled: ‘no’
    mode: extra-data
    deployment: reverse
    header: X-Forwarded-For
    • alert:
      payload: ‘no’
      payload-buffer-size: 4kb
      payload-printable: ‘yes’
      packet: ‘yes’
      app-layer: false
      flow: false
      metadata: true
      raw: true
      tagged-packets: ‘no’

eve.json output file includes cases like this where a “pass” rule generated an “alert” record.
“timestamp”: “2022-11-16T20:43:54.222486+0000”,
“flow_id”: 1108034110276122,
“in_iface”: “bond0”,
“event_type”: “alert”,
“src_ip”: “”,
“src_port”: 443,
“dest_ip”: “”,
“dest_port”: 59606,
“proto”: “TCP”,
“community_id”: “1:wYwjxRQvNh95IFHhE3fuDIsdbBA=”,
“alert”: {
“action”: “allowed”,
“gid”: 1,
“signature_id”: 500400,
“rev”: 1,
“signature”: “skip SSL packets that don’t involve Internet”,
“category”: “”,
“severity”: 3,
“rule”: “pass tcp $HOME_NET [443,465,993,995] → [,,] any (msg:"skip SSL packets that don’t involve Internet"; sid:500400; rev:1;)”
“tunnel”: {
“src_ip”: “”,
“src_port”: 33727,
“dest_ip”: “”,
“dest_port”: 4789,
“proto”: “UDP”,
“depth”: 1
“payload_printable”: “”,
“stream”: 0,
“packet”: “RQAAPAAAQAA/BibjCgMAdwoDAF0Bu+jWm83DpFV3NeagEvs0yncAAAIEBYIEAggK1Bf5BMkzAeoBAwMH”,
“packet_info”: {
“linktype”: 12

I wonder if this is related to the “tunnel” aspect of the packets tripping this pass rule. It is actually Docker overlay network traffic between containers on different Docker hosts. Could this special scenario somehow be causing Suricata to generate an alert on a triggered pass rule?

I would say it’s not expected. Can you try to reproduce this with a pcap?
And if so, can you share that pcap?
You can also do a test with the noalert keyword and see what happens in that case.

But with some local pcap tests, the same rule with alert shows output, while pass doesn’t. So might be a bug.

Indeed the “flowbits: noalert” workaround did stop those alerts from being written to eve.json.

I do have a pcap of the Docker overlay network packets (vxlan encapsulated tcp/443 packets) that are what have been causing this issue. How shell I deliver it to you?

I will reply to you privately