Project

General

Profile

Actions
Copy link

Bug #7630

open

pass rules with alert; keyword log with a verdict of "alert" instead of "pass"

Added by Jesse Lepich 5 months ago. Updated 11 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Juliana Fajardini Reichow
Target version:
9.0.0-beta1
Affected Versions:
7.0.8
Effort:
Difficulty:
Label:
Needs backport, Needs backport to 7.0

Description

This rule:

pass tls $HOME_NET any -> any any (alert; tls.sni; content:"checkip.amazonaws.com"; sid:202502272;)

produces an alert log entry with a verdict of "alert" instead of "pass":

"verdict": {"action": "alert"},

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #7544: Verdict output reports "alert" when traffic is allowed implicitly/passivelyNewJuliana Fajardini ReichowActions
Actions
Copy link
 #1

Updated by Philippe Antoine about 1 month ago

  • Status changed from New to Feedback
  • Assignee changed from OISF Dev to Juliana Fajardini Reichow

Hmmm... I would expect a verdict alert...

Actions
Copy link
 #2

Updated by Juliana Fajardini Reichow 11 days ago

  • Target version changed from TBD to 9.0.0-beta1
Actions
Copy link
 #3

Updated by Juliana Fajardini Reichow 11 days ago

It should be pass, if that's the rule that triggered.
The PASS action is the only one with a different check-style when we log the verdict, so there may be something here.

But more info could be of help, still, indeed.

Actions
Copy link
 #4

Updated by Juliana Fajardini Reichow 11 days ago

  • Label Needs backport, Needs backport to 7.0 added
Actions
Copy link
 #5

Updated by Juliana Fajardini Reichow 10 days ago

  • Related to Bug #7544: Verdict output reports "alert" when traffic is allowed implicitly/passively added
Actions
Copy link

Also available in: Atom PDF