Bug #7544
openeve/alert: verdict reports "alert" when traffic is allowed implicitly/passively
Description
In IPS mode, when there are no rules except for an alert rules, traffic is "passed" (allowed implicitly/passively by default) but the verdict is "alert"
It seems like verdict should report on what the final traffic action was, in this case "pass"
It would also be very helpful is the verdict output showed which sid took the action against the traffic. For example:
"verdict": {
"action": "pass"
"sid": "1234"
},
And maybe the implicit/default/passive pass action might generate a log entry like:
"verdict": {
"action": "pass"
"sid": "default"
},
PA Updated by Philippe Antoine 9 months ago
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
I would think that alert is the right verdict, alert meaning for Suricata that we did not reject nor drop, but we still logged something, when pass would mean nothing to report...
JF Updated by Juliana Fajardini Reichow 8 months ago
- Target version changed from TBD to 9.0.0-beta1
- Label Needs backport, Needs backport to 7.0 added
JF Updated by Juliana Fajardini Reichow 8 months ago
Added the label, but must still investigate and understand further.
JF Updated by Juliana Fajardini Reichow 8 months ago
- Related to Bug #7392: Verdict output reports "drop" when rejected added
JF Updated by Juliana Fajardini Reichow 8 months ago
- Related to Bug #7630: eve/alert: incorrect verdict with pass + alert rule added
OT Updated by OISF Ticketbot 7 months ago
- Subtask #7907 added
OT Updated by OISF Ticketbot 7 months ago
- Label deleted (
Needs backport to 7.0)
SB Updated by Shivani Bhardwaj 6 months ago
- Related to deleted (Bug #7630: eve/alert: incorrect verdict with pass + alert rule)
SB Updated by Shivani Bhardwaj 6 months ago
- Is duplicate of Bug #7630: eve/alert: incorrect verdict with pass + alert rule added
JF Updated by Juliana Fajardini Reichow 6 months ago
- Status changed from New to Assigned
VJ Updated by Victor Julien 5 months ago
- Subject changed from Verdict output reports "alert" when traffic is allowed implicitly/passively to eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively
VJ Updated by Victor Julien 5 months ago
- Label Needs backport to 8.0 added
- Label deleted (
Needs backport)
OT Updated by OISF Ticketbot 5 months ago
- Subtask #8071 added
OT Updated by OISF Ticketbot 5 months ago
- Label deleted (
Needs backport to 8.0)
JF Updated by Juliana Fajardini Reichow 5 months ago
- Is duplicate of deleted (Bug #7630: eve/alert: incorrect verdict with pass + alert rule)
JF Updated by Juliana Fajardini Reichow about 2 months ago
We're thinking that...
adding `sid` to the verdict makes sense.
I must still better understand whether there are situations when we should have verdict `pass` but are seeing `alert`.