What does the error-policy in the app-layers section affect?

Hi,

I am using Suricata as IPS for years (now using 6.0.9).
I just noticed that there is a error-policy setting in the app-layers section of the yaml file.
I wonder what the different options mean. In the documentation, there is not much explanation unfortunately:

In IPS mode, a global exception policy accessed via the error-policy setting can be defined to indicate what the engine should do in case if encounters an app-layer error. Possible values are “drop-flow”, “pass-flow”, “bypass”, “drop-packet”, “pass-packet”, “reject” or “ignore” (which maintains the default behavior)

Where can I get more information about that parameter?

You can read this here: 10.3. Exception Policies — Suricata 6.0.9 documentation

1 Like