tests: showcase flow.action lack of update - v4 #2052

jufajardini · 2024-09-20T16:34:06Z

It seems that in certain cases as seen in this test, flow.action isn't updated, even if, say, all packets from the flow are dropped.

Maybe this is due to the rule not being applied directly to the flow, but to each packet individually. But considering we are using a flow keyword, it seems that the engine should pass over the drop action to flow.action, at least in the flow event.

Bug #6976

Previous PR: #2007

Updates:

rebase
remove Suricata 6 checks

Ticket

If your pull request is related to a Suricata ticket, please provide
the full URL to the ticket here so this pull request can monitor
changes to the ticket status:

Redmine ticket:
https://redmine.openinfosecfoundation.org/issues/6976

It seems that in certain cases as seen in this test, flow.action isn't updated, even if, say, all packets from the flow are dropped. Maybe this is due to the rule not being applied directly to the flow, but to each packet individually. But considering we are using a flow keyword, it seems that the engine should pass over the drop action to flow.action, at least in the flow event. Bug #6976

jufajardini added the requires suricata fix This PR requires an issue in Suricata to be fixed first label Sep 20, 2024

jufajardini mentioned this pull request Sep 20, 2024

tests: showcase flow.action lack of update - v3 #2007

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tests: showcase flow.action lack of update - v4 #2052

tests: showcase flow.action lack of update - v4 #2052

jufajardini commented Sep 20, 2024

tests: showcase flow.action lack of update - v4 #2052

Are you sure you want to change the base?

tests: showcase flow.action lack of update - v4 #2052

Conversation

jufajardini commented Sep 20, 2024

Ticket