Actions
Bug #4491
closedrules: rules w/o sid accepted, leading to alerts with signature_id: 0
Affected Versions:
Effort:
Difficulty:
Label:
Description
Currently, if a rule like
alert icmp any any -> any any (msg: "ICMP Packet found";)
is provided to Suricata, the engine will process it and generate alerts like
05/11/2021-12:34:41.554752 [**] [1:0:0] ICMP Packet found [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:0000:0000:0000:0001:134 -> ff02:0000:0000:0000:0000:0000:0000:0001:0
This means that Suricata ends up accepting rules with signature_id 0, when no signature_id is provided.
This is undesired behavior, the engine should probably enforce rules to have a signature_id field, to prevent that from happening.
Updated by Victor Julien over 3 years ago
- Subject changed from Suricata accepts rules without signature_ids, leading to alerts with signature_id: 0 to rules: rules w/o sid accepted, leading to alerts with signature_id: 0
Updated by Victor Julien over 3 years ago
- Status changed from New to Assigned
- Assignee set to Juliana Fajardini Reichow
Updated by Juliana Fajardini Reichow over 3 years ago
- Status changed from Assigned to In Review
PR for review: https://github.com/OISF/suricata/pull/6202
PR for s-v mqtt test that broke after this: https://github.com/OISF/suricata/pull/6202
Updated by Juliana Fajardini Reichow over 3 years ago
Current PR under review: https://github.com/OISF/suricata/pull/6210
Updated by Juliana Fajardini Reichow over 3 years ago
PR for review: https://github.com/OISF/suricata/pull/6219
Updated by Juliana Fajardini Reichow over 3 years ago
Approved PR: https://github.com/OISF/suricata/pull/6219
Updated by Juliana Fajardini Reichow over 3 years ago
- Status changed from In Review to Closed
Actions