negated json_meta_content key missing in log breaks detection

[bryant-smith]

In the rule below, the json_meta_content is looking to make sure the value of .Actor[2].Type is not 1 or 2 but in some of the logs the .Actor key isn't present. If the key isn't present the rule automatically fails. If the json_meta_content is being negated with ! then the rule should continue to process the rest of the rule. This may also be an issue with other json_* keywords.

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-AZURE-AD-GEOIP] Login from outside HOME_COUNTRY"; json_meta_content:!".Actor[2].Type",1,2; content:"ClientIP"; json_content: ".Workload", "AzureActiveDirectory"; json_content: ".Operation", "UserLoggedIn"; country_code: track by_src, isnot $HOME_COUNTRY; json_map: "src_ip", ".ClientIP"; json_map: "dest_ip", ".ClientIP"; json_map: "username", ".UserID"; json_map: "program",".Workload"; classtype: successful-user; sid:5004788; rev:2; metadata:updated_at 2023_08_01;)

[bryant-smith]

The rule works if they below code is placed at line 103 in src/json-meta-content.c The only issue is that if a rule has only a single json_meta_content:! it will trigger off any log that doesn't have the key, which will be an issue. There shouldn't be any rule designed that way but there should be a check for it.

        if ( rulestruct[rule_position].json_meta_content_not[i] == true )
        {
                match++;
        }