Bug #7630
openeve/alert: incorrect verdict with pass + alert rule
Added by Jesse Lepich 7 months ago. Updated about 17 hours ago.
Description
This rule:
pass tls $HOME_NET any -> any any (alert; tls.sni; content:"checkip.amazonaws.com"; sid:202502272;)
produces an alert log entry with a verdict of "alert" instead of "pass":
"verdict": {"action": "alert"},
Updated by Philippe Antoine 4 months ago
- Status changed from New to Feedback
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
Hmmm... I would expect a verdict alert...
Updated by Juliana Fajardini Reichow 3 months ago
- Target version changed from TBD to 9.0.0-beta1
Updated by Juliana Fajardini Reichow 3 months ago
It should be pass, if that's the rule that triggered.
The PASS action is the only one with a different check-style when we log the verdict, so there may be something here.
But more info could be of help, still, indeed.
Updated by Juliana Fajardini Reichow 3 months ago
- Label Needs backport, Needs backport to 7.0 added
Updated by Juliana Fajardini Reichow 3 months ago
- Related to Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively added
Updated by OISF Ticketbot about 1 month ago
- Label deleted (
Needs backport to 7.0)
Updated by Victor Julien about 1 month ago
- Label Needs backport to 8.0 added
- Label deleted (
Needs backport)
Updated by OISF Ticketbot about 1 month ago
- Label deleted (
Needs backport to 8.0)
Updated by Shivani Bhardwaj 2 days ago
- Subject changed from pass rules with alert; keyword log with a verdict of "alert" instead of "pass" to output/alert: incorrect verdict with pass + alert rule
Updated by Shivani Bhardwaj 2 days ago
- Related to deleted (Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively)
Updated by Shivani Bhardwaj 2 days ago
- Has duplicate Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively added
Updated by Victor Julien about 22 hours ago
- Subject changed from output/alert: incorrect verdict with pass + alert rule to eve/alert: incorrect verdict with pass + alert rule
Updated by Juliana Fajardini Reichow about 17 hours ago ยท Edited
- Assignee changed from Juliana Fajardini Reichow to Philippe Antoine
As Philippe is working on a fix that seems to also impact this.
Updated by Juliana Fajardini Reichow about 17 hours ago
- Has duplicate deleted (Bug #7544: eve/alert: verdict reports "alert" when traffic is allowed implicitly/passively)
Updated by Juliana Fajardini Reichow about 17 hours ago
Removed the Duplicate of #7544 as to me that one has more of a feature request + some considerations on what is understood as `pass` and `accepted` in IPS mode.
Although there may be more to that one -- which means it still requires further investigation, while this could be fixed by what Philippe has patched recently.