Bug #7630
closedeve/alert: incorrect verdict with pass + alert rule
Added by Jesse Lepich about 1 year ago. Updated 8 months ago.
Description
This rule:
pass tls $HOME_NET any -> any any (alert; tls.sni; content:"checkip.amazonaws.com"; sid:202502272;)
produces an alert log entry with a verdict of "alert" instead of "pass":
"verdict": {"action": "alert"},
PA Updated by Philippe Antoine 11 months ago Actions #1
- Status changed from New to Feedback
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
Hmmm... I would expect a verdict alert...
JF Updated by Juliana Fajardini Reichow 11 months ago Actions #2
- Target version changed from TBD to 9.0.0-beta1
JF Updated by Juliana Fajardini Reichow 11 months ago Actions #3
It should be pass, if that's the rule that triggered.
The PASS action is the only one with a different check-style when we log the verdict, so there may be something here.
But more info could be of help, still, indeed.
JF Updated by Juliana Fajardini Reichow 11 months ago Actions #4
- Label Needs backport, Needs backport to 7.0 added
JF Updated by Juliana Fajardini Reichow 11 months ago Actions #5
- Related to Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively added
OT Updated by OISF Ticketbot 9 months ago Actions #6
- Subtask #7906 added
OT Updated by OISF Ticketbot 9 months ago Actions #7
- Label deleted (
Needs backport to 7.0)
VJ Updated by Victor Julien 9 months ago Actions #8
- Label Needs backport to 8.0 added
- Label deleted (
Needs backport)
OT Updated by OISF Ticketbot 9 months ago Actions #9
- Subtask #7911 added
OT Updated by OISF Ticketbot 9 months ago Actions #10
- Label deleted (
Needs backport to 8.0)
SB Updated by Shivani Bhardwaj 8 months ago Actions #11
- Subject changed from pass rules with alert; keyword log with a verdict of "alert" instead of "pass" to output/alert: incorrect verdict with pass + alert rule
SB Updated by Shivani Bhardwaj 8 months ago Actions #12
- Related to deleted (Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively)
SB Updated by Shivani Bhardwaj 8 months ago Actions #13
- Has duplicate Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively added
VJ Updated by Victor Julien 8 months ago Actions #14
- Subject changed from output/alert: incorrect verdict with pass + alert rule to eve/alert: incorrect verdict with pass + alert rule
JF Updated by Juliana Fajardini Reichow 8 months ago · Edited Actions #15
- Assignee changed from Juliana Fajardini Reichow to Philippe Antoine
As Philippe is working on a fix that seems to also impact this.
JF Updated by Juliana Fajardini Reichow 8 months ago Actions #16
- Related to Security #8021: eve/alert: heap buffer overflow on verdict added
JF Updated by Juliana Fajardini Reichow 8 months ago Actions #17
- Has duplicate deleted (Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively)
JF Updated by Juliana Fajardini Reichow 8 months ago Actions #18
Removed the Duplicate of #7544 as to me that one has more of a feature request + some considerations on what is understood as `pass` and `accepted` in IPS mode.
Although there may be more to that one -- which means it still requires further investigation, while this could be fixed by what Philippe has patched recently.
PA Updated by Philippe Antoine 8 months ago Actions #19
- Assignee changed from Philippe Antoine to Juliana Fajardini Reichow
I am not the one working on the good fix for this ;-p
JF Updated by Juliana Fajardini Reichow 8 months ago Actions #20
- Status changed from Feedback to Assigned
Philippe Antoine wrote in #note-19:
I am not the one working on the good fix for this ;-p
What a roller coaster :P
JF Updated by Juliana Fajardini Reichow 8 months ago · Edited Actions #21
- Status changed from Assigned to In Review
MR on gitlab
VJ Updated by Victor Julien 8 months ago Actions #22
- Status changed from In Review to Closed