8.40. Alert Keywords

In addition to the action, alerting behavior can be controlled in the rule body using the noalert and alert keywords. Additionally, alerting behavior is controlled by Thresholding Keywords.

8.40.1. noalert

A rule that specifies noalert will not generate an alert when it matches, but rule actions will still be performed.

noalert is often used in rules that set a flowbit for common patterns.

noalert is meant for use with rule actions alert, drop, reject that all explicitly or implicitly include alert.

alert http any any -> any any (http.user_agent; content:"Mozilla/5.0"; startwith; endswith; flowbits:set,mozilla-ua; noalert; sid:1;)

This example sets a flowbit "mozilla-ua" on matching, but does not generate an alert due to the presence of noalert.


this option is also used as flowbits:noalert;, see Flow Keywords

8.40.2. alert

A rule that specifies alert will generate an alert, even if the rule action doesn't imply alerting.

This keyword can be used to implement an "alert then pass"-logic.

pass http any any -> any any (http.user_agent; content:"Mozilla/5.0"; startwith; endswith; alert; sid:1;)

This example would pass the rest of the HTTP flow with the Mozilla/5.0 user-agent, generating an alert for the "pass" event.