aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

output/drop: add verdict field

Browse Source 
Related to
Bug #5464
pull/9233/head
Juliana Fajardini 2 years ago committed by Victor Julien
parent 53b8defd79
commit 0437173848
4 changed files with 35 additions and 2 deletions
Show Stats Download Patch File Download Diff File

16
doc/userguide/output/eve/eve-json-output.rst
Unescape Escape View File

@ -264,6 +264,22 @@ enabled, then the log gets more verbose.
By using ``custom`` it is possible to select which TLS fields to log. By using ``custom`` it is possible to select which TLS fields to log.
Drops
~~~~~
Drops are event types logged when the engine drops a packet.
Config::
- drop:
alerts: yes # log alerts that caused drops
flows: all # start or all: 'start' logs only a single drop
# per flow direction. All logs each dropped pkt.
# Enable logging the final action taken on a packet by the engine
# (will show more information in case of a drop caused by 'reject')
verdict: yes
Date modifiers in filename Date modifiers in filename
~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~

3
etc/schema.json
Unescape Escape View File

@ -1292,6 +1292,9 @@
}, },
"reason": { "reason": {
"type": "string" "type": "string"
},
"verdict": {
"$ref": "#/$defs/verdict_type"
} }
}, },
"additionalProperties": false "additionalProperties": false

15
src/output-json-drop.c
Unescape Escape View File

@ -60,7 +60,8 @@
#define MODULE_NAME "JsonDropLog" #define MODULE_NAME "JsonDropLog"
#define LOG_DROP_ALERTS 1 #define LOG_DROP_ALERTS BIT_U8(1)
#define LOG_DROP_VERDICT BIT_U8(2)
typedef struct JsonDropOutputCtx_ { typedef struct JsonDropOutputCtx_ {
uint8_t flags; uint8_t flags;
@ -158,6 +159,10 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
/* Close drop. */ /* Close drop. */
jb_close(js); jb_close(js);
if (aft->drop_ctx->flags & LOG_DROP_VERDICT) {
EveAddVerdict(js, p);
}
if (aft->drop_ctx->flags & LOG_DROP_ALERTS) { if (aft->drop_ctx->flags & LOG_DROP_ALERTS) {
int logged = 0; int logged = 0;
int i; int i;
@ -273,7 +278,7 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_
const char *extended = ConfNodeLookupChildValue(conf, "alerts"); const char *extended = ConfNodeLookupChildValue(conf, "alerts");
if (extended != NULL) { if (extended != NULL) {
if (ConfValIsTrue(extended)) { if (ConfValIsTrue(extended)) {
drop_ctx->flags = LOG_DROP_ALERTS; drop_ctx->flags |= LOG_DROP_ALERTS;
} }
} }
extended = ConfNodeLookupChildValue(conf, "flows"); extended = ConfNodeLookupChildValue(conf, "flows");
@ -287,6 +292,12 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_
"'flow' are 'start' and 'all'"); "'flow' are 'start' and 'all'");
} }
} }
extended = ConfNodeLookupChildValue(conf, "verdict");
if (extended != NULL) {
if (ConfValIsTrue(extended)) {
drop_ctx->flags |= LOG_DROP_VERDICT;
}
}
} }
drop_ctx->eve_ctx = ajt; drop_ctx->eve_ctx = ajt;

3
suricata.yaml.in
Unescape Escape View File

@ -262,6 +262,9 @@ outputs:
# alerts: yes # log alerts that caused drops # alerts: yes # log alerts that caused drops
# flows: all # start or all: 'start' logs only a single drop # flows: all # start or all: 'start' logs only a single drop
# # per flow direction. All logs each dropped pkt. # # per flow direction. All logs each dropped pkt.
# Enable logging the final action taken on a packet by the engine
# (will show more information in case of a drop caused by 'reject')
# verdict: yes
- smtp: - smtp:
#extended: yes # enable this for extended logging information #extended: yes # enable this for extended logging information
# this includes: bcc, message-id, subject, x_mailer, user-agent # this includes: bcc, message-id, subject, x_mailer, user-agent

Write Preview
Loading…
Cancel
Save