Bug #7544
open
eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively
Added by Jesse Lepich 10 months ago.
Updated 20 days ago.
Description
In IPS mode, when there are no rules except for an alert rules, traffic is "passed" (allowed implicitly/passively by default) but the verdict is "alert"
It seems like verdict should report on what the final traffic action was, in this case "pass"
It would also be very helpful is the verdict output showed which sid took the action against the traffic. For example:
"verdict": {
"action": "pass"
"sid": "1234"
},
And maybe the implicit/default/passive pass action might generate a log entry like:
"verdict": {
"action": "pass"
"sid": "default"
},
Related issues
1 (1 open — 0 closed)
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
I would think that alert is the right verdict, alert meaning for Suricata that we did not reject nor drop, but we still logged something, when pass would mean nothing to report...
- Target version changed from TBD to 9.0.0-beta1
- Label Needs backport, Needs backport to 7.0 added
Added the label, but must still investigate and understand further.
- Related to Bug #7392: Verdict output reports "drop" when rejected added
- Related to Bug #7630: eve/alert: incorrect verdict with pass + alert rule added
- Label deleted (
Needs backport to 7.0)
- Related to deleted (Bug #7630: eve/alert: incorrect verdict with pass + alert rule)
- Is duplicate of Bug #7630: eve/alert: incorrect verdict with pass + alert rule added
- Status changed from New to Assigned
- Subject changed from Verdict output reports "alert" when traffic is allowed implicitly/passively to eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively
- Label Needs backport to 8.0 added
- Label deleted (
Needs backport)
- Label deleted (
Needs backport to 8.0)
- Is duplicate of deleted (Bug #7630: eve/alert: incorrect verdict with pass + alert rule)
Also available in: Atom
PDF