Project

General

Profile

Actions
Copy link

Bug #7630

open

pass rules with alert; keyword log with a verdict of "alert" instead of "pass"

Added by Jesse Lepich 4 months ago. Updated 4 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Juliana Fajardini Reichow
Target version:
TBD
Affected Versions:
7.0.8
Effort:
Difficulty:
Label:

Description

This rule:

pass tls $HOME_NET any -> any any (alert; tls.sni; content:"checkip.amazonaws.com"; sid:202502272;)

produces an alert log entry with a verdict of "alert" instead of "pass":

"verdict": {"action": "alert"},

Actions
Copy link
 #1

Updated by Philippe Antoine 4 days ago

  • Status changed from New to Feedback
  • Assignee changed from OISF Dev to Juliana Fajardini Reichow

Hmmm... I would expect a verdict alert...

Actions
Copy link

Also available in: Atom PDF