Feature #7433: eve/alert: enrich decoder event rules - Suricata - Open Information Security Foundation

Actions

Feature #7433

open

eve/alert: enrich decoder event rules

Added by Victor Julien 14 days ago. Updated 9 days ago.

Status:

Resolved

Priority:

Normal

Assignee:

Target version:

Effort:

Difficulty:

Label:

Description

After fixing #7414, the next issue is that a default alert record for a bad ipv4 packet is mostly useless:

{
  "timestamp": "2024-11-26T09:45:26.928787+0000",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2200005,
    "rev": 2,
    "signature": "SURICATA IPv4 invalid option length",
    "category": "Generic Protocol Command Decode",
    "severity": 3
  }
}

So the goal here is to add more metadata when available.

Subtasks 1 (0 open — 1 closed)

Related issues 1 (0 open — 1 closed)

Actions

#1

Updated by Victor Julien 14 days ago

Related to Bug #7414: detect: decoder event rules fail to match on invalid packets added

Actions

#2

Updated by Victor Julien 14 days ago

Status changed from In Progress to In Review

https://github.com/OISF/suricata/pull/12217

Actions

#3

Updated by Victor Julien 12 days ago

Status changed from In Review to Resolved

https://github.com/OISF/suricata/pull/12221

Actions

#4

Updated by Victor Julien 12 days ago

Still wondering if this should be backported, any opinions?

Actions

#5

Updated by Victor Julien 12 days ago

Label Needs backport to 7.0 added

Actions

#6

Updated by OISF Ticketbot 12 days ago

Subtask #7439 added

Actions

#7

Updated by OISF Ticketbot 12 days ago

Label deleted (~~Needs backport to 7.0~~)

Actions

Also available in: Atom PDF