output/drop: add verdict field

Related to Bug #5464
2 years ago · 0437173848
parent 53b8defd79
commit 0437173848
4 changed files with 35 additions and 2 deletions
--- a/doc/userguide/output/eve/eve-json-output.rst
+++ b/doc/userguide/output/eve/eve-json-output.rst
@ -264,6 +264,22 @@ enabled, then the log gets more verbose.

 By using ``custom`` it is possible to select which TLS fields to log.

+Drops
+~~~~~
+
+Drops are event types logged when the engine drops a packet.
+
+Config::
+
+    - drop:
+        alerts: yes      # log alerts that caused drops
+        flows: all       # start or all: 'start' logs only a single drop
+                         # per flow direction. All logs each dropped pkt.
+        # Enable logging the final action taken on a packet by the engine
+        # (will show more information in case of a drop caused by 'reject')
+        verdict: yes
+
+
 Date modifiers in filename
 ~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/etc/schema.json
+++ b/etc/schema.json
@ -1292,6 +1292,9 @@
                },
                "reason": {
                    "type": "string"
+                },
+                "verdict": {
+                    "$ref": "#/$defs/verdict_type"
                }
            },
            "additionalProperties": false
--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@ -60,7 +60,8 @@

 #define MODULE_NAME "JsonDropLog"

-#define LOG_DROP_ALERTS 1
+#define LOG_DROP_ALERTS  BIT_U8(1)
+#define LOG_DROP_VERDICT BIT_U8(2)

 typedef struct JsonDropOutputCtx_ {
    uint8_t flags;
@ -158,6 +159,10 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
    /* Close drop. */
    jb_close(js);

+    if (aft->drop_ctx->flags & LOG_DROP_VERDICT) {
+        EveAddVerdict(js, p);
+    }
+
    if (aft->drop_ctx->flags & LOG_DROP_ALERTS) {
        int logged = 0;
        int i;
@ -273,7 +278,7 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_
        const char *extended = ConfNodeLookupChildValue(conf, "alerts");
        if (extended != NULL) {
            if (ConfValIsTrue(extended)) {
-                drop_ctx->flags = LOG_DROP_ALERTS;
+                drop_ctx->flags |= LOG_DROP_ALERTS;
            }
        }
        extended = ConfNodeLookupChildValue(conf, "flows");
@ -287,6 +292,12 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_
                             "'flow' are 'start' and 'all'");
            }
        }
+        extended = ConfNodeLookupChildValue(conf, "verdict");
+        if (extended != NULL) {
+            if (ConfValIsTrue(extended)) {
+                drop_ctx->flags |= LOG_DROP_VERDICT;
+            }
+        }
    }

    drop_ctx->eve_ctx = ajt;
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -262,6 +262,9 @@ outputs:
        #    alerts: yes      # log alerts that caused drops
        #    flows: all       # start or all: 'start' logs only a single drop
        #                     # per flow direction. All logs each dropped pkt.
+            # Enable logging the final action taken on a packet by the engine
+            # (will show more information in case of a drop caused by 'reject')
+            # verdict: yes
        - smtp:
            #extended: yes # enable this for extended logging information
            # this includes: bcc, message-id, subject, x_mailer, user-agent