Project

General

Profile

Actions
Copy link

Bug #7630

open

pass rules with alert; keyword log with a verdict of "alert" instead of "pass"

Added by Jesse Lepich 3 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
7.0.8
Effort:
Difficulty:
Label:

Description

This rule:

pass tls $HOME_NET any -> any any (alert; tls.sni; content:"checkip.amazonaws.com"; sid:202502272;)

produces an alert log entry with a verdict of "alert" instead of "pass":

"verdict": {"action": "alert"},

No data to display

Actions
Copy link

Also available in: Atom PDF