Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inversal functionality of maxsize in rules. #4011

Open
SalvaMilenario opened this issue Sep 25, 2019 · 0 comments
Open

Inversal functionality of maxsize in rules. #4011

SalvaMilenario opened this issue Sep 25, 2019 · 0 comments
Labels
module/analysis Issues related to the Analysis daemon type/bug Something isn't working

Comments

@SalvaMilenario
Copy link
Contributor

SalvaMilenario commented Sep 25, 2019
edited

Wazuh version Component Install type Install method Platform
3.10.2 analysisd Manager Packages/Sources linux

I configured new rules and I detected that the field maxsize it hasn't the functionality defined in the documentation.

image

In actuality, when the size of the event is less than maxsize this isn't sent, but if it's bigger, it sends. This isn't how it should work, the correct functionality should be that the size of this has been less than maxsize.

The issue is in this line:

wazuh/src/analysisd/analysisd.c

Lines 1191 to 1195 in ee0943d

if (rule->maxsize) {
if (lf->size < rule->maxsize) {
return (NULL);
}
}

The proposed solution is a change of the symbol "<" by ">"

Regards
@SalvaMilenario SalvaMilenario added type/bug Something isn't working module/analysis Issues related to the Analysis daemon labels Sep 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
module/analysis Issues related to the Analysis daemon type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SalvaMilenario