Bug #4491: rules: rules w/o sid accepted, leading to alerts with signature_id: 0 - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #4491

closed

rules: rules w/o sid accepted, leading to alerts with signature_id: 0

Added by Juliana Fajardini Reichow almost 3 years ago. Updated almost 3 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Juliana Fajardini Reichow

Target version:

7.0.0-beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

Currently, if a rule like

alert icmp any any -> any any (msg: "ICMP Packet found";)

is provided to Suricata, the engine will process it and generate alerts like

05/11/2021-12:34:41.554752  [**] [1:0:0] ICMP Packet found [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:0000:0000:0000:0001:134 -> ff02:0000:0000:0000:0000:0000:0000:0001:0

This means that Suricata ends up accepting rules with signature_id 0, when no signature_id is provided.

This is undesired behavior, the engine should probably enforce rules to have a signature_id field, to prevent that from happening.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #4491

rules: rules w/o sid accepted, leading to alerts with signature_id: 0

Updated by Victor Julien almost 3 years ago

Updated by Victor Julien almost 3 years ago

Updated by Juliana Fajardini Reichow almost 3 years ago

Updated by Juliana Fajardini Reichow almost 3 years ago

Updated by Juliana Fajardini Reichow almost 3 years ago

Updated by Juliana Fajardini Reichow almost 3 years ago

Updated by Juliana Fajardini Reichow almost 3 years ago

Updated by Juliana Fajardini Reichow almost 3 years ago