Project

General

Profile

Actions
Copy link

Bug #7544

open

eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively

Added by Jesse Lepich 9 months ago. Updated 6 days ago.

Status:
Assigned
Priority:
Normal
Assignee:
Juliana Fajardini Reichow
Target version:
9.0.0-beta1
Affected Versions:
7.0.3
Effort:
Difficulty:
Label:

Description

In IPS mode, when there are no rules except for an alert rules, traffic is "passed" (allowed implicitly/passively by default) but the verdict is "alert"

It seems like verdict should report on what the final traffic action was, in this case "pass"

It would also be very helpful is the verdict output showed which sid took the action against the traffic. For example:

"verdict": {
"action": "pass"
"sid": "1234"
},

And maybe the implicit/default/passive pass action might generate a log entry like:

"verdict": {
"action": "pass"
"sid": "default"
},

Subtasks 2 (1 open1 closed)

Bug #7907: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively (7.0.x backport)ClosedJuliana Fajardini ReichowActions
Bug #8071: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively (8.0.x backport)AssignedJuliana Fajardini ReichowActions

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #7392: Verdict output reports "drop" when rejectedFeedbackJuliana Fajardini ReichowActions
Actions
Copy link
 #1

Updated by Philippe Antoine 4 months ago

  • Assignee changed from OISF Dev to Juliana Fajardini Reichow

I would think that alert is the right verdict, alert meaning for Suricata that we did not reject nor drop, but we still logged something, when pass would mean nothing to report...

Actions
Copy link
 #2

Updated by Juliana Fajardini Reichow 3 months ago

  • Target version changed from TBD to 9.0.0-beta1
  • Label Needs backport, Needs backport to 7.0 added
Actions
Copy link
 #3

Updated by Juliana Fajardini Reichow 3 months ago

Added the label, but must still investigate and understand further.

Actions
Copy link
 #4

Updated by Juliana Fajardini Reichow 3 months ago

  • Related to Bug #7392: Verdict output reports "drop" when rejected added
Actions
Copy link
 #5

Updated by Juliana Fajardini Reichow 3 months ago

  • Related to Bug #7630: eve/alert: incorrect verdict with pass + alert rule added
Actions
Copy link
 #6

Updated by OISF Ticketbot about 2 months ago

  • Subtask #7907 added
Actions
Copy link
 #7

Updated by OISF Ticketbot about 2 months ago

  • Label deleted (Needs backport to 7.0)
Actions
Copy link
 #8

Updated by Shivani Bhardwaj 13 days ago

  • Related to deleted (Bug #7630: eve/alert: incorrect verdict with pass + alert rule)
Actions
Copy link
 #9

Updated by Shivani Bhardwaj 13 days ago

  • Is duplicate of Bug #7630: eve/alert: incorrect verdict with pass + alert rule added
Actions
Copy link
 #10

Updated by Juliana Fajardini Reichow 12 days ago

  • Status changed from New to Assigned
Actions
Copy link
 #11

Updated by Victor Julien 11 days ago

  • Subject changed from Verdict output reports "alert" when traffic is allowed implicitly/passively to eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively
Actions
Copy link
 #12

Updated by Victor Julien 11 days ago

  • Label Needs backport to 8.0 added
  • Label deleted (Needs backport)
Actions
Copy link
 #13

Updated by OISF Ticketbot 11 days ago

  • Subtask #8071 added
Actions
Copy link
 #14

Updated by OISF Ticketbot 11 days ago

  • Label deleted (Needs backport to 8.0)
Actions
Copy link
 #15

Updated by Juliana Fajardini Reichow 11 days ago

  • Is duplicate of deleted (Bug #7630: eve/alert: incorrect verdict with pass + alert rule)
Actions
Copy link

Also available in: Atom PDF