Project

General

Profile

Actions

Bug #4491

closed

rules: rules w/o sid accepted, leading to alerts with signature_id: 0

Added by Juliana Fajardini Reichow over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Currently, if a rule like

alert icmp any any -> any any (msg: "ICMP Packet found";)

is provided to Suricata, the engine will process it and generate alerts like
05/11/2021-12:34:41.554752  [**] [1:0:0] ICMP Packet found [**] [Classification: (null)] [Priority: 3] {IPv6-ICMP} fe80:0000:0000:0000:0000:0000:0000:0001:134 -> ff02:0000:0000:0000:0000:0000:0000:0001:0

This means that Suricata ends up accepting rules with signature_id 0, when no signature_id is provided.

This is undesired behavior, the engine should probably enforce rules to have a signature_id field, to prevent that from happening.

Actions

Also available in: Atom PDF