output/eve: add 'verdict' field to 'alert' and 'drop' events - v8 #9162
Conversation
Besides having the alert's verdict as a part of the alert event, also offer the ability to have it as an independent event type. Related to Task OISF#5464
Related to Bug OISF#5464
Related to Bug OISF#5464
The `field action` portion seemed to be comprised of a more generic section that followed it. Also formatted the section for lines to be within the character limit.
| #define LOG_DROP_ALERTS 1 | ||
| #define LOG_DROP_ALERTS BIT_U8(1) | ||
| #define LOG_DROP_VERDICT BIT_U8(2) |
There was a problem hiding this comment.
Changed this, tried adding the flows start/all option here, but led to failures. Can make this a TODO.
| } else if (p->action & ACTION_REJECT_BOTH) { | ||
| JB_SET_STRING(jb, "reject-target", "both"); | ||
| } | ||
| JB_SET_STRING(jb, "reject", "[tcp-reset, icmp-prohib, user defined]"); |
There was a problem hiding this comment.
This is the bit I wasn't sure about the approach, @victorjulien . The examples from #8596 (comment) show all options. If that's the case, would this work? Or do we want to check what is actually being done by Suri, and output only that option? If so, I'm done sure how to figure out when will it be user defined...
The other two I figured I could decide by checking the packet proto.
There was a problem hiding this comment.
this shouldn't be a single string, but a json array of strings
There was a problem hiding this comment.
"user defined" can be ignored, it was a place holder for some future ideas
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9162 +/- ##
==========================================
- Coverage 82.34% 82.33% -0.01%
==========================================
Files 968 969 +1
Lines 273546 273656 +110
==========================================
+ Hits 225247 225317 +70
- Misses 48299 48339 +40
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
WARNING:
Pipeline 15018 |
| that this does not necessarily indicate the final verdict for a given packet or | ||
| flow, since one packet may match on several rules. | ||
|
|
||
| Verdict Field |
There was a problem hiding this comment.
this is not a field, but an object containing other fields, right?
There was a problem hiding this comment.
Right, I was seeing it as a field because it's part of 'alert', but... that's indeed wrong.
There was a problem hiding this comment.
also: update description, there are more fields in verdict now.
| "verdict": { | ||
| "action": "alert" | ||
| "reject-target": "both" | ||
| "reject": [ "tcp-reset", "icmp-prohib", "user defined" ] |
There was a problem hiding this comment.
the value here should be a json array of strings
| JsonVerdictLogThread *vlt = thread_data; | ||
|
|
||
| int r = VerdictJson(vlt, p); | ||
|
|
|
|
||
| static int JsonVerdictLogCondition(ThreadVars *tv, void *thread_data, const Packet *p) | ||
| { | ||
| if (p->alerts.cnt > 0) { |
There was a problem hiding this comment.
so verdict records are only written for alerts... this excludes drops from outside the detect engine (e.g. exception policy), also "pass" would be excluded, right?
There was a problem hiding this comment.
Right on cue for both aspects, I hadn't considered them >__<'
| @@ -168,6 +168,10 @@ outputs: | |||
| # Enable the logging of tagged packets for rules using the | |||
| # "tag" keyword. | |||
| tagged-packets: yes | |||
| # Enable logging the final verdict for packets with the alert | |||
| verdict: yes | |||
| - verdict: | |||
There was a problem hiding this comment.
add a comment to explain on a high level what this is
|
Replaced by: #9216 |
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5464
Previous PR: #8596
Sharing this now to clarify one aspect, and check if this is going on the right direction.
Describe changes from previous PR:
dropevent (haven't touched theflows all/startone, as this was leading to failures, but can make it a TODOalert.actionas optionalTODOs:
Provide values to any of the below to override the defaults.
OISF/suricata-verify#1293
Outputs examples: