-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
output/eve: add 'verdict' field to 'alert' and 'drop' events - v8 #9162
Conversation
Besides having the alert's verdict as a part of the alert event, also offer the ability to have it as an independent event type. Related to Task OISF#5464
Related to Bug OISF#5464
Related to Bug OISF#5464
The `field action` portion seemed to be comprised of a more generic section that followed it. Also formatted the section for lines to be within the character limit.
#define LOG_DROP_ALERTS 1 | ||
#define LOG_DROP_ALERTS BIT_U8(1) | ||
#define LOG_DROP_VERDICT BIT_U8(2) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed this, tried adding the flows start/all option here, but led to failures. Can make this a TODO.
} else if (p->action & ACTION_REJECT_BOTH) { | ||
JB_SET_STRING(jb, "reject-target", "both"); | ||
} | ||
JB_SET_STRING(jb, "reject", "[tcp-reset, icmp-prohib, user defined]"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the bit I wasn't sure about the approach, @victorjulien . The examples from #8596 (comment) show all options. If that's the case, would this work? Or do we want to check what is actually being done by Suri, and output only that option? If so, I'm done sure how to figure out when will it be user defined
...
The other two I figured I could decide by checking the packet proto.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this shouldn't be a single string, but a json array of strings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"user defined" can be ignored, it was a place holder for some future ideas
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, thanks.
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9162 +/- ##
==========================================
- Coverage 82.34% 82.33% -0.01%
==========================================
Files 968 969 +1
Lines 273546 273656 +110
==========================================
+ Hits 225247 225317 +70
- Misses 48299 48339 +40
Flags with carried forward coverage won't be shown. Click here to find out more. |
WARNING:
Pipeline 15018 |
that this does not necessarily indicate the final verdict for a given packet or | ||
flow, since one packet may match on several rules. | ||
|
||
Verdict Field |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is not a field, but an object containing other fields, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, I was seeing it as a field because it's part of 'alert', but... that's indeed wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also: update description, there are more fields in verdict now.
"verdict": { | ||
"action": "alert" | ||
"reject-target": "both" | ||
"reject": [ "tcp-reset", "icmp-prohib", "user defined" ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the value here should be a json array of strings
JsonVerdictLogThread *vlt = thread_data; | ||
|
||
int r = VerdictJson(vlt, p); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove newline
|
||
static int JsonVerdictLogCondition(ThreadVars *tv, void *thread_data, const Packet *p) | ||
{ | ||
if (p->alerts.cnt > 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so verdict records are only written for alerts... this excludes drops from outside the detect engine (e.g. exception policy), also "pass" would be excluded, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right on cue for both aspects, I hadn't considered them >__<'
@@ -168,6 +168,10 @@ outputs: | |||
# Enable the logging of tagged packets for rules using the | |||
# "tag" keyword. | |||
tagged-packets: yes | |||
# Enable logging the final verdict for packets with the alert | |||
verdict: yes | |||
- verdict: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add a comment to explain on a high level what this is
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see inline comments
Replaced by: #9216 |
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5464
Previous PR: #8596
Sharing this now to clarify one aspect, and check if this is going on the right direction.
Describe changes from previous PR:
drop
event (haven't touched theflows all/start
one, as this was leading to failures, but can make it a TODOalert.action
as optionalTODOs:
Provide values to any of the below to override the defaults.
OISF/suricata-verify#1293
Outputs examples: