Bug #7544: Verdict output reports "alert" when traffic is allowed implicitly/passively - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #7544

open

Verdict output reports "alert" when traffic is allowed implicitly/passively

Added by Jesse Lepich 18 days ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

7.0.3

Effort:

Difficulty:

Label:

Description

In IPS mode, when there are no rules except for an alert rules, traffic is "passed" (allowed implicitly/passively by default) but the verdict is "alert"

It seems like verdict should report on what the final traffic action was, in this case "pass"

It would also be very helpful is the verdict output showed which sid took the action against the traffic. For example:

"verdict": {
"action": "pass"
"sid": "1234"
},

And maybe the implicit/default/passive pass action might generate a log entry like:

"verdict": {
"action": "pass"
"sid": "default"
},

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #7544

Verdict output reports "alert" when traffic is allowed implicitly/passively