Feature #7433: eve/alert: enrich decoder event rules - Suricata - Open Information Security Foundation

Actions

Feature #7433

closed

VJ VJ

eve/alert: enrich decoder event rules

Feature #7433: eve/alert: enrich decoder event rules

Added by Victor Julien over 1 year ago. Updated about 1 year ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Effort:

Difficulty:

Label:

Description

After fixing #7414, the next issue is that a default alert record for a bad ipv4 packet is mostly useless:

{
  "timestamp": "2024-11-26T09:45:26.928787+0000",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2200005,
    "rev": 2,
    "signature": "SURICATA IPv4 invalid option length",
    "category": "Generic Protocol Command Decode",
    "severity": 3
  }
}

So the goal here is to add more metadata when available.

Subtasks 1 (0 open — 1 closed)

Related issues 1 (0 open — 1 closed)

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
#1

Related to Bug #7414: detect: decoder event rules fail to match on invalid packets added

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
#2

Status changed from In Progress to In Review

https://github.com/OISF/suricata/pull/12217

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
#3

Status changed from In Review to Resolved

https://github.com/OISF/suricata/pull/12221

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
#4

Still wondering if this should be backported, any opinions?

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
#5

Label Needs backport to 7.0 added

OT Updated by OISF Ticketbot over 1 year ago Actions
Copy link
#6

Subtask #7439 added

OT Updated by OISF Ticketbot over 1 year ago Actions
Copy link
#7

Label deleted (~~Needs backport to 7.0~~)

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
#8

Status changed from Resolved to Closed

Closing as backport ticket got closed

Actions

Also available in: PDF Atom