Project

General

Profile

Actions

Bug #4491

closed

rules: rules w/o sid accepted, leading to alerts with signature_id: 0

Added by Juliana Fajardini Reichow 4 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Currently, if a rule like

alert icmp any any -> any any (msg: "ICMP Packet found";)

is provided to Suricata, the engine will process it and generate alerts like
05/11/2021-12:34:41.554752  [**] [1:0:0] ICMP Packet found [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:0000:0000:0000:0001:134 -> ff02:0000:0000:0000:0000:0000:0000:0001:0

This means that Suricata ends up accepting rules with signature_id 0, when no signature_id is provided.

This is undesired behavior, the engine should probably enforce rules to have a signature_id field, to prevent that from happening.

Actions #1

Updated by Victor Julien 4 months ago

  • Subject changed from Suricata accepts rules without signature_ids, leading to alerts with signature_id: 0 to rules: rules w/o sid accepted, leading to alerts with signature_id: 0
Actions #2

Updated by Victor Julien 4 months ago

  • Status changed from New to Assigned
  • Assignee set to Juliana Fajardini Reichow
Actions #3

Updated by Juliana Fajardini Reichow 3 months ago

  • Status changed from Assigned to In Review

PR for review: https://github.com/OISF/suricata/pull/6202

PR for s-v mqtt test that broke after this: https://github.com/OISF/suricata/pull/6202

Actions #7

Updated by Juliana Fajardini Reichow 3 months ago

  • Status changed from In Review to Closed
Actions #8

Updated by Juliana Fajardini Reichow 3 months ago

Merged.

Actions

Also available in: Atom PDF