With the following rules
pass http $HOME_NET any -> 0.0.0.0/0 80 (http.host;content:"example.com"; endswith;sid: 300;)
pass tcp $HOMET_NET any <> 0.0.0.0/0 80 (flow: not_established; sid: 200;)
drop ip any any <> any any (sid: 100;)
I am able to still curl non example.com
However, when added one more lines
pass http $HOME_NET any -> 0.0.0.0/0 80 (http.host;content:"example.com"; endswith;sid: 300;)
pass tcp $HOME_NET any <> 0.0.0.0/0 80 (flow: not_established; sid: 200;)
drop http $HOME_NET any -> 0.0.0.0/0 80 (http.header_names; content:"|0d 0a|"; startswith; sid:400;)
drop ip any any <> any any (sid: 100;)
I no longer able to curl non example.com
The question is I am using default order.So adding any drop rules shan’t block existing traffics.Could anyone explain why it doesn’t work as expected
https://suricata.readthedocs.io/en/suricata-6.0.2/configuration/suricata-yaml.html?highlight=action+order#action-order