suricata-verify icon indicating copy to clipboard operation
suricata-verify copied to clipboard

Published 20 hours ago verified publisher icon OISF

tests: showcase flow.action lack of update - v2

Open jufajardini opened this issue 7 months ago • 3 comments

It seems that in certain cases as seen in this test, flow.action isn't updated, even if, say, all packets from the flow are dropped.

Maybe this is due to the rule not being applied directly to the flow, but to each packet individually. But considering we are using a flow keyword, it seems that the engine should pass over the drop action to flow.action, at least in the flow event.

Bug #6976

Previous PR https://github.com/OISF/suricata-verify/pull/1975

Changes from previous PR:

  • add a test with engine-analysis

Ticket

If your pull request is related to a Suricata ticket, please provide the full URL to the ticket here so this pull request can monitor changes to the ticket status:

Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6976

jufajardini avatar Jul 19 '24 17:07 jufajardini