I am using Suricata as IPS for years (now using 6.0.9).
I just noticed that there is a
error-policy setting in the
app-layers section of the yaml file.
I wonder what the different options mean. In the documentation, there is not much explanation unfortunately:
In IPS mode, a global exception policy accessed via the
error-policy setting can be defined to indicate what the engine should do in case if encounters an app-layer error. Possible values are “drop-flow”, “pass-flow”, “bypass”, “drop-packet”, “pass-packet”, “reject” or “ignore” (which maintains the default behavior)
Where can I get more information about that parameter?