Project

General

Profile

Actions
Copy link

Feature #7433

open

eve/alert: enrich decoder event rules

Added by Victor Julien 14 days ago. Updated 9 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Victor Julien
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

After fixing #7414, the next issue is that a default alert record for a bad ipv4 packet is mostly useless:

{
  "timestamp": "2024-11-26T09:45:26.928787+0000",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2200005,
    "rev": 2,
    "signature": "SURICATA IPv4 invalid option length",
    "category": "Generic Protocol Command Decode",
    "severity": 3
  }
}

So the goal here is to add more metadata when available.

Subtasks 1 (0 open1 closed)

Feature #7439: eve/alert: enrich decoder event rules (7.0.x backport)ClosedVictor JulienActions

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #7414: detect: decoder event rules fail to match on invalid packetsClosedVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien 14 days ago

  • Related to Bug #7414: detect: decoder event rules fail to match on invalid packets added
Actions
Copy link
 #2

Updated by Victor Julien 14 days ago

  • Status changed from In Progress to In Review
Actions
Copy link
 #3

Updated by Victor Julien 13 days ago

  • Status changed from In Review to Resolved
Actions
Copy link
 #4

Updated by Victor Julien 13 days ago

Still wondering if this should be backported, any opinions?

Actions
Copy link
 #5

Updated by Victor Julien 13 days ago

  • Label Needs backport to 7.0 added
Actions
Copy link
 #6

Updated by OISF Ticketbot 13 days ago

  • Subtask #7439 added
Actions
Copy link
 #7

Updated by OISF Ticketbot 13 days ago

  • Label deleted (Needs backport to 7.0)
Actions
Copy link

Also available in: Atom PDF