Project

General

Profile

Actions
Copy link

Bug #7544

open

Verdict output reports "alert" when traffic is allowed implicitly/passively

Added by Jesse Lepich 8 months ago. Updated 21 days ago.

Status:
New
Priority:
Normal
Assignee:
Juliana Fajardini Reichow
Target version:
9.0.0-beta1
Affected Versions:
7.0.3
Effort:
Difficulty:
Label:
Needs backport

Description

In IPS mode, when there are no rules except for an alert rules, traffic is "passed" (allowed implicitly/passively by default) but the verdict is "alert"

It seems like verdict should report on what the final traffic action was, in this case "pass"

It would also be very helpful is the verdict output showed which sid took the action against the traffic. For example:

"verdict": {
"action": "pass"
"sid": "1234"
},

And maybe the implicit/default/passive pass action might generate a log entry like:

"verdict": {
"action": "pass"
"sid": "default"
},

Subtasks 1 (1 open0 closed)

Bug #7907: Verdict output reports "alert" when traffic is allowed implicitly/passively (7.0.x backport)AssignedJuliana Fajardini ReichowActions

Related issues 2 (2 open0 closed)

Related to Suricata - Bug #7392: Verdict output reports "drop" when rejectedFeedbackJuliana Fajardini ReichowActions
Related to Suricata - Bug #7630: pass rules with alert; keyword log with a verdict of "alert" instead of "pass"FeedbackJuliana Fajardini ReichowActions
Actions
Copy link

Also available in: Atom PDF