0

What happens to a packet that has no matching rule in Suricata. I assume it is ignored, but haven't found any definitive info on this.

So, if my assumption is correct and the packet is ignored, would it be better to capture all non pass matched packets with a drop rule for performance purposes or would the drop rule just increase the resource usage?

Essentially I am asking if matching every packet is a better approach. What are the pros and cons?

dcol
  • 11
  • 1

1 Answers1

1

As a IDS/IPS Suricata is not used for white-listing anything which is allowed but for detecting signatures of known attacks, i.e. black-listing known malicious things. Insofar a rule to match everything and drop would not make any sense since this would essentially drop most of the innocent traffic. The expected behavior is instead to pass everything which was not specifically detected as attack. And this is what Suricata is doing when run as IPS inline.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • So is the packet ignored if there is no matching rule? That way I would only need specific drop rules and bypass rules to improve performance – dcol Oct 07 '19 at 17:38
  • @dcol: I'm not sure what you mean with *"ignored"*. If there is no rule matching the packet then no rule defined action will be taken, which means that the packet gets passed through when Suricata is inline. – Steffen Ullrich Oct 07 '19 at 18:03
  • That answers it. That's what I meant by 'ignored'. Thanks. – dcol Oct 07 '19 at 18:33