Refactor search query for prohibited network traffic #3865
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### **Describe the bug** When interesting_ports_lookup is used, only the port is checked, not the protocol. Plus, only the first result is returned. This lookup include several entries for the same port (like 514 rsh/syslog) and the wrong entry can get returned. This create false match. The wrong enrichment is given (including a wrong transport method) and a notable is generated when it shouldn't. It can also be greatly optimized by moving the filter logic to the where of the tstats. ### **Expected behavior** If a 514 udp is detected by the firewall, it should match syslog and not create a notable (or risk) telling me we detected a rsh 514 tcp. ### **Additional context** Here is a solution (we get the transport from the log instead of adding it from the lookup, add transport to the match and move the filter logique up).
space to activate CI.
LaLaGuy
requested review from
ljstella,
nasbench and
patel-bhavin
as code owners
Contributor
|
Hi @LaLaGuy Thanks for the contribution! Just an FYI that the We're currently going through a release process, but will give this the attention it deserves once we're done. Thanks |
Contributor
|
@LaLaGuy would you mind increasing the version number and the date on the detection? We should be able to merge this once that's done. |
Contributor
Author
|
done |
ljstella
approved these changes
Jan 16, 2026
Contributor
ljstella
left a comment
ljstella
left a comment
There was a problem hiding this comment.
LGTM. Thanks again for your contribution!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Describe the bug
The search can detect a 514 udp as rsh on tcp.
When "interesting_ports_lookup" is used, only the port is checked, not the protocol. Plus, only the first result is returned.
This lookup include several entries for the same port (like 514 rsh/syslog) and the wrong entry can get returned. This create false match. The wrong enrichment is given (including a wrong transport method) and a notable is generated when it shouldn't. It can also be greatly optimized by moving the filter logic to the where of the tstats.
Expected behavior
If a 514 udp is detected by the firewall, it should match syslog and not create a notable (or risk) saying it detected a rsh 514 tcp.
Details
It only contains a patch for the search in the rule "Prohibited Network Traffic Allowed".
It now get the transport from the log instead of adding it from the lookup, add transport to the match in the lookup "interesting_ports_lookup" command and the filter logic is now in the where.