p->alerts.alerts[p->alerts.cnt] = *pa;
SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i);
- /* pass "alert" found, we're done */
- if (pa->action & ACTION_PASS) {
+ /* pass w/o alert found, we're done. Alert is not logged. */
+ if ((pa->action & (ACTION_PASS | ACTION_ALERT)) == ACTION_PASS) {
SCLogDebug("sid:%u: is a pass rule, so break out of loop", s->id);
break;
}
p->alerts.cnt++;
+
+ /* pass with alert, we're done. Alert is logged. */
+ if (pa->action & ACTION_PASS) {
+ SCLogDebug("sid:%u: is a pass rule, so break out of loop", s->id);
+ break;
+ }
} else {
p->alerts.discarded++;
}
*
* \author Victor Julien <victor@inliniac.net>
*
- * Implements the noalert keyword
+ * Implements the noalert and alert keywords.
*/
#include "suricata-common.h"
return 0;
}
+static int DetectAlertSetup(DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
+{
+ DEBUG_VALIDATE_BUG_ON(nullstr != NULL);
+
+ s->action |= ACTION_ALERT;
+ return 0;
+}
+
void DetectNoalertRegister(void)
{
sigmatch_table[DETECT_NOALERT].name = "noalert";
sigmatch_table[DETECT_NOALERT].url = "/rules/flow-keywords.html";
sigmatch_table[DETECT_NOALERT].Setup = DetectNoalertSetup;
sigmatch_table[DETECT_NOALERT].flags |= SIGMATCH_NOOPT;
+
+ sigmatch_table[DETECT_ALERT].name = "alert";
+ sigmatch_table[DETECT_ALERT].desc = "alert will be generated by the rule";
+ sigmatch_table[DETECT_ALERT].url = "/rules/flow-keywords.html";
+ sigmatch_table[DETECT_ALERT].Setup = DetectAlertSetup;
+ sigmatch_table[DETECT_ALERT].flags |= SIGMATCH_NOOPT;
}
projects / thirdparty / suricata.git / commitdiff
