Rule engine doesn't care about rule type if no conditions are defined on the payload

Question

Rule engine doesn't care about rule type if no conditions are defined on the payload

banditopazzo opened this issue a year ago · 0 comments

Rule engine contains an unwanted behaviour.

Take for example this 2 rules:

- name: Test curl request
  type: DnsQuery
  condition: header.image == "/usr/bin/curl"
- name: Test curl response
  type: DnsResponse
  condition: header.image == "/usr/bin/curl"

Even if there is for DnsQuery or DnsResponse in the type field of the rule, but without any rule on the Payload, this condition will match on every type of events, not only DnsQuery or DnsResponse.

This behaviour is not wrong from validation point of view, because it's generic and only looks strictly at conditions.

We need is a way to enforce this check for our specific case, where payload type is an additional condition.