Bug #7630
closedeve/alert: incorrect verdict with pass + alert rule
Description
This rule:
pass tls $HOME_NET any -> any any (alert; tls.sni; content:"checkip.amazonaws.com"; sid:202502272;)
produces an alert log entry with a verdict of "alert" instead of "pass":
"verdict": {"action": "alert"},
PA Updated by Philippe Antoine 9 months ago
- Status changed from New to Feedback
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
Hmmm... I would expect a verdict alert...
JF Updated by Juliana Fajardini Reichow 8 months ago
- Target version changed from TBD to 9.0.0-beta1
JF Updated by Juliana Fajardini Reichow 8 months ago
It should be pass, if that's the rule that triggered.
The PASS action is the only one with a different check-style when we log the verdict, so there may be something here.
But more info could be of help, still, indeed.
JF Updated by Juliana Fajardini Reichow 8 months ago
- Label Needs backport, Needs backport to 7.0 added
JF Updated by Juliana Fajardini Reichow 8 months ago
- Related to Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively added
OT Updated by OISF Ticketbot 7 months ago
- Subtask #7906 added
OT Updated by OISF Ticketbot 7 months ago
- Label deleted (
Needs backport to 7.0)
VJ Updated by Victor Julien 7 months ago
- Label Needs backport to 8.0 added
- Label deleted (
Needs backport)
OT Updated by OISF Ticketbot 7 months ago
- Subtask #7911 added
OT Updated by OISF Ticketbot 7 months ago
- Label deleted (
Needs backport to 8.0)
SB Updated by Shivani Bhardwaj 5 months ago
- Subject changed from pass rules with alert; keyword log with a verdict of "alert" instead of "pass" to output/alert: incorrect verdict with pass + alert rule
SB Updated by Shivani Bhardwaj 5 months ago
- Related to deleted (Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively)
SB Updated by Shivani Bhardwaj 5 months ago
- Has duplicate Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively added
VJ Updated by Victor Julien 5 months ago
- Subject changed from output/alert: incorrect verdict with pass + alert rule to eve/alert: incorrect verdict with pass + alert rule
JF Updated by Juliana Fajardini Reichow 5 months ago · Edited
- Assignee changed from Juliana Fajardini Reichow to Philippe Antoine
As Philippe is working on a fix that seems to also impact this.
JF Updated by Juliana Fajardini Reichow 5 months ago
- Related to Security #8021: eve/alert: heap buffer overflow on verdict added
JF Updated by Juliana Fajardini Reichow 5 months ago
- Has duplicate deleted (Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively)
JF Updated by Juliana Fajardini Reichow 5 months ago
Removed the Duplicate of #7544 as to me that one has more of a feature request + some considerations on what is understood as `pass` and `accepted` in IPS mode.
Although there may be more to that one -- which means it still requires further investigation, while this could be fixed by what Philippe has patched recently.
PA Updated by Philippe Antoine 5 months ago
- Assignee changed from Philippe Antoine to Juliana Fajardini Reichow
I am not the one working on the good fix for this ;-p
JF Updated by Juliana Fajardini Reichow 5 months ago
- Status changed from Feedback to Assigned
Philippe Antoine wrote in #note-19:
I am not the one working on the good fix for this ;-p
What a roller coaster :P
JF Updated by Juliana Fajardini Reichow 5 months ago · Edited
- Status changed from Assigned to In Review
MR on gitlab
VJ Updated by Victor Julien 5 months ago
- Status changed from In Review to Closed