Bug #7630
closedeve/alert: incorrect verdict with pass + alert rule
Description
This rule:
pass tls $HOME_NET any -> any any (alert; tls.sni; content:"checkip.amazonaws.com"; sid:202502272;)
produces an alert log entry with a verdict of "alert" instead of "pass":
"verdict": {"action": "alert"},
Updated by Philippe Antoine 4 months ago
- Status changed from New to Feedback
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
Hmmm... I would expect a verdict alert...
Updated by Juliana Fajardini Reichow 4 months ago
- Target version changed from TBD to 9.0.0-beta1
Updated by Juliana Fajardini Reichow 4 months ago
It should be pass, if that's the rule that triggered.
The PASS action is the only one with a different check-style when we log the verdict, so there may be something here.
But more info could be of help, still, indeed.
Updated by Juliana Fajardini Reichow 4 months ago
- Label Needs backport, Needs backport to 7.0 added
Updated by Juliana Fajardini Reichow 4 months ago
- Related to Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively added
Updated by Victor Julien 2 months ago
- Label Needs backport to 8.0 added
- Label deleted (
Needs backport)
Updated by Shivani Bhardwaj 27 days ago
- Subject changed from pass rules with alert; keyword log with a verdict of "alert" instead of "pass" to output/alert: incorrect verdict with pass + alert rule
Updated by Shivani Bhardwaj 27 days ago
- Related to deleted (Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively)
Updated by Shivani Bhardwaj 27 days ago
- Has duplicate Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively added
Updated by Victor Julien 25 days ago
- Subject changed from output/alert: incorrect verdict with pass + alert rule to eve/alert: incorrect verdict with pass + alert rule
Updated by Juliana Fajardini Reichow 25 days ago · Edited
- Assignee changed from Juliana Fajardini Reichow to Philippe Antoine
As Philippe is working on a fix that seems to also impact this.
Updated by Juliana Fajardini Reichow 25 days ago
- Has duplicate deleted (Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively)
Updated by Juliana Fajardini Reichow 25 days ago
Removed the Duplicate of #7544 as to me that one has more of a feature request + some considerations on what is understood as `pass` and `accepted` in IPS mode.
Although there may be more to that one -- which means it still requires further investigation, while this could be fixed by what Philippe has patched recently.
Updated by Philippe Antoine 24 days ago
- Assignee changed from Philippe Antoine to Juliana Fajardini Reichow
I am not the one working on the good fix for this ;-p
Updated by Juliana Fajardini Reichow 22 days ago
- Status changed from Feedback to Assigned
Philippe Antoine wrote in #note-19:
I am not the one working on the good fix for this ;-p
What a roller coaster :P
Updated by Juliana Fajardini Reichow 22 days ago · Edited
- Status changed from Assigned to In Review
MR on gitlab