Bug #7544
openVerdict output reports "alert" when traffic is allowed implicitly/passively
Description
In IPS mode, when there are no rules except for an alert rules, traffic is "passed" (allowed implicitly/passively by default) but the verdict is "alert"
It seems like verdict should report on what the final traffic action was, in this case "pass"
It would also be very helpful is the verdict output showed which sid took the action against the traffic. For example:
"verdict": {
"action": "pass"
"sid": "1234"
},
And maybe the implicit/default/passive pass action might generate a log entry like:
"verdict": {
"action": "pass"
"sid": "default"
},
Updated by Philippe Antoine 2 months ago
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
I would think that alert is the right verdict, alert meaning for Suricata that we did not reject nor drop, but we still logged something, when pass would mean nothing to report...
Updated by Juliana Fajardini Reichow about 1 month ago
- Target version changed from TBD to 9.0.0-beta1
- Label Needs backport, Needs backport to 7.0 added
Updated by Juliana Fajardini Reichow about 1 month ago
Added the label, but must still investigate and understand further.
Updated by Juliana Fajardini Reichow about 1 month ago
- Related to Bug #7392: Verdict output reports "drop" when rejected added
Updated by Juliana Fajardini Reichow about 1 month ago
- Related to Bug #7630: pass rules with alert; keyword log with a verdict of "alert" instead of "pass" added
Updated by OISF Ticketbot about 8 hours ago
- Label deleted (
Needs backport to 7.0)