Why do I need to drop http explicitly?

Help
,
1

With the following rules

pass http $HOME_NET any -> 0.0.0.0/0 80 (http.host;content:"example.com"; endswith;sid: 300;)
pass tcp $HOMET_NET any <> 0.0.0.0/0 80 (flow: not_established; sid: 200;)
drop ip any any <> any any (sid: 100;)

I am able to still curl non example.com

However, when added one more lines

pass http $HOME_NET any -> 0.0.0.0/0 80 (http.host;content:"example.com"; endswith;sid: 300;)
pass tcp $HOME_NET any <> 0.0.0.0/0 80 (flow: not_established; sid: 200;)
drop http $HOME_NET any -> 0.0.0.0/0 80 (http.header_names; content:"|0d 0a|"; startswith; sid:400;)
drop ip any any <> any any (sid: 100;)

I no longer able to curl non example.com

The question is I am using default order.So adding any drop rules shan’t block existing traffics.Could anyone explain why it doesn’t work as expected
https://suricata.readthedocs.io/en/suricata-6.0.2/configuration/suricata-yaml.html?highlight=action+order#action-order

2

Does it work if you just use the last drop rule and no pass rule upfront?
Also there is a typo in the first example “HOMET_NET”.

3

Referring to

Does it work if you just use the last drop rule and no pass rule upfront?

Could you show me the sample rules?

4

I meant your last rule:

drop ip any any <> any any (sid: 100;)

if just this would work, although blocking all