Bug #7544: Verdict output reports "alert" when traffic is allowed implicitly/passively - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #7544

open

Verdict output reports "alert" when traffic is allowed implicitly/passively

Added by Jesse Lepich 6 months ago. Updated 21 days ago.

Status:

New

Priority:

Normal

Assignee:

Juliana Fajardini Reichow

Target version:

TBD

Affected Versions:

7.0.3

Effort:

Difficulty:

Label:

Description

In IPS mode, when there are no rules except for an alert rules, traffic is "passed" (allowed implicitly/passively by default) but the verdict is "alert"

It seems like verdict should report on what the final traffic action was, in this case "pass"

It would also be very helpful is the verdict output showed which sid took the action against the traffic. For example:

"verdict": {
"action": "pass"
"sid": "1234"
},

And maybe the implicit/default/passive pass action might generate a log entry like:

"verdict": {
"action": "pass"
"sid": "default"
},

Actions

Copy link

Updated by Philippe Antoine 21 days ago

Assignee changed from OISF Dev to Juliana Fajardini Reichow

I would think that alert is the right verdict, alert meaning for Suricata that we did not reject nor drop, but we still logged something, when pass would mean nothing to report...

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #7544

Verdict output reports "alert" when traffic is allowed implicitly/passively

Updated by Philippe Antoine 21 days ago