You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- name: Test curl requesttype: DnsQuerycondition: header.image == "/usr/bin/curl"
- name: Test curl responsetype: DnsResponsecondition: header.image == "/usr/bin/curl"
Even if there is for DnsQuery or DnsResponse in the type field of the rule, but without any rule on the Payload, this condition will match on every type of events, not only DnsQuery or DnsResponse.
This behaviour is not wrong from validation point of view, because it's generic and only looks strictly at conditions.
We need is a way to enforce this check for our specific case, where payload type is an additional condition.
The text was updated successfully, but these errors were encountered:
Rule engine contains an unwanted behaviour.
Take for example this 2 rules:
Even if there is for
DnsQuery
orDnsResponse
in the type field of the rule, but without any rule on thePayload
, this condition will match on every type of events, not onlyDnsQuery
orDnsResponse
.This behaviour is not wrong from
validation
point of view, because it's generic and only looks strictly at conditions.We need is a way to enforce this check for our specific case, where payload type is an additional condition.
The text was updated successfully, but these errors were encountered: