https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022022-12-08T16:38:53ZOpen Information Security FoundationSuricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=260692022-12-08T16:38:53ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Juliana Fajardini Reichow</i></li><li><strong>Target version</strong> changed from <i>TBD</i> to <i>7.0.0-rc1</i></li><li><strong>Label</strong> <i>Needs backport to 6.0</i> added</li></ul><p>If a drop rule and a alert rule both match, the alert record for the alert rule will say allowed, even if the packet will be dropped because of the drop rule. Perhaps it should say action "alerted".</p> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=260702022-12-08T16:41:11ZVictor Julienvictor@inliniac.net
<ul></ul><p>Could also be addressed by adding a new (final) "verdict" field.</p> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=260752022-12-08T20:20:08ZJuliana Fajardini Reichow
<ul></ul><p>Following the discussion, I tend to prefer the verdict field, too.<br />Would this be part of the "packet" event?</p> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=262462022-12-23T00:32:33ZJuliana Fajardini Reichow
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>In Review</i></li></ul><p>PR for review: <a class="external" href="https://github.com/OISF/suricata/pull/8318">https://github.com/OISF/suricata/pull/8318</a></p> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=263792023-01-15T12:55:20ZShivani Bhardwaj
<ul><li><strong>Subtask</strong> <i>#5794</i> added</li></ul> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=263802023-01-15T12:55:20ZShivani Bhardwaj
<ul><li><strong>Label</strong> deleted (<del><i>Needs backport to 6.0</i></del>)</li></ul> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=265352023-01-25T15:47:07ZJuliana Fajardini Reichow
<ul></ul><p>To address this, I'm working on (possibly) adding a new field to events such as `drop` and<br />`alert`, which indicates what was the final verdict by Suri for the packet that <br />triggered the `drop`/`alert`. It is currently called `verdict`, and is<br />structured as (json resumed):<br /><pre>
{
"pcap_cnt": 10,
"event_type": "drop",
"direction": "to_server",
"drop": {
...
"reason": "flow drop"
},
"verdict": "drop"
}
</pre></p>
<p>and</p>
<pre>
{
"pcap_cnt": 4,
"event_type": "alert",
"proto": "TCP",
"pkt_src": "wire/pcap",
"alert": {
...
},
"verdict": "reject"
}
</pre>
<p>Currently, the possible values are "accept", "drop" or "reject".</p>
<p>We'd like to get feedback on this new output field: field values, field name etc. That's because once something is introduced to our output, it's much harder to get rid of it, so we wanna be sure(r).</p> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=265882023-01-27T01:41:07ZJamie Lavignelavignen@amazon.com
<ul></ul><p>Would it make sense to use a value of "pass" instead of "accept" in order to be consistent with the terminology of the rule actions? Both "drop" and "reject" are consistent with those.</p>
<p>It's unfortunate that the field name "action" in the output is already taken because that would be consistent with what the rules format calls that value: <a class="external" href="https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html#action">https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html#action</a></p> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=265912023-01-27T08:05:05ZVictor Julienvictor@inliniac.net
<ul></ul><p>I feel <code>pass</code> would actually be confusing, as it has a different meaning than issuing a IPS verdict. Pass in detection means the packet is processed but not inspected against rules. Accept/drop/reject are more per packet verdicts indicating what happened to that packet wrt the IPS policy engine. For example, iptables uses ACCEPT/DROP/REJECT as well.</p> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=266562023-01-30T13:54:32ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>7.0.0-rc1</i> to <i>7.0.0-rc2</i></li></ul> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=279942023-05-18T12:57:16ZJuliana Fajardini Reichow
<ul></ul><p>To add: Have verdict as an optional new eve field but also as part of the alert event.</p> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=285302023-06-13T19:05:49ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>7.0.0-rc2</i> to <i>7.0.0</i></li></ul> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=287322023-06-26T14:13:38ZJuliana Fajardini Reichow
<ul><li><strong>Status</strong> changed from <i>In Review</i> to <i>In Progress</i></li></ul> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=290612023-07-07T14:44:59ZJuliana Fajardini Reichow
<ul></ul><p>Jamie Lavigne wrote in <a href="#note-8">#note-8</a>:</p>
<blockquote>
<p>Would it make sense to use a value of "pass" instead of "accept" in order to be consistent with the terminology of the rule actions? Both "drop" and "reject" are consistent with those.</p>
<p>It's unfortunate that the field name "action" in the output is already taken because that would be consistent with what the rules format calls that value: <a class="external" href="https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html#action">https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html#action</a></p>
</blockquote>
<p>Took longer than expected, but I believe we have something very close to merge state, now, in case you want to have a look at how we're approaching this. :)<br /><a class="external" href="https://github.com/OISF/suricata/pull/9162">https://github.com/OISF/suricata/pull/9162</a></p> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=290662023-07-08T00:05:12ZJuliana Fajardini Reichow
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>In Review</i></li></ul> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=290932023-07-11T10:52:45ZVictor Julienvictor@inliniac.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-5 status-2 priority-4 priority-default" href="/issues/6084">Task #6084</a>: output/alert: enable logging `PASS` alerts</i> added</li></ul> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=291352023-07-11T15:21:32ZJuliana Fajardini Reichow
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-1 priority-4 priority-default" href="/issues/6210">Feature #6210</a>: outputs: add verdict event type</i> added</li></ul> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=291632023-07-14T04:59:45ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>In Review</i> to <i>Resolved</i></li></ul><p><a class="external" href="https://github.com/OISF/suricata/pull/9230">https://github.com/OISF/suricata/pull/9230</a></p> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=291982023-07-17T18:47:24ZVictor Julienvictor@inliniac.net
<ul><li><strong>Subtask</strong> deleted (<del><i>#5794</i></del>)</li></ul> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=291992023-07-17T18:47:32ZVictor Julienvictor@inliniac.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-5 priority-5 priority-high3 closed" href="/issues/5794">Bug #5794</a>: eve: if alert and drop rules match for a packet, "alert.action" is ambigious (6.0.x backport)</i> added</li></ul> Suricata - Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigioushttps://redmine.openinfosecfoundation.org/issues/5464?journal_id=292272023-07-17T18:53:26ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Closed</i></li></ul>