OISF · jufajardini · Dec 23, 2022 · Jan 5, 2023 · Jun 13, 2023 · Jul 5, 2023
@@ -89,23 +89,17 @@ generated the event.
 Event type: Alert
 -----------------
 
-Field action
-~~~~~~~~~~~~
-
-Possible values: "allowed" and "blocked"
-
-Example:
-
-::
+This field contains data about a signature that matched, such as
+``signature_id`` (``sid`` in the rule) and the ``signature`` (``msg`` in the
+rule).
 
-
-  "action":"allowed"
-
-Action is set to "allowed" unless a rule used the "drop" action and Suricata is in IPS mode, or when the rule used the "reject" action.
-
-It can also contain information about Source and Target of the attack in the alert.source and alert.target field if target keyword is used in
+It can also contain information about Source and Target of the attack in the
+``alert.source`` and ``alert.target`` field if target keyword is used in
 the signature.
 
+This event will also have the ``pcap_cnt`` field, when running in pcap mode, to
+indicate which packet triggered the signature.
+
 ::
 
   "alert": {
@@ -147,13 +141,76 @@ the signature.
     }
   },
 
+Action field
+~~~~~~~~~~~~
+
+Possible values: "allowed" and "blocked".
+
+Example:
+
+::
+
+  "action":"allowed"
+
+Action is set to "allowed" unless a rule used the "drop" action and Suricata is
+in IPS mode, or when the rule used the "reject" action. It is important to note
+that this does not necessarily indicate the final verdict for a given packet or
+flow, since one packet may match on several rules.
+
+Verdict Field
+~~~~~~~~~~~~~
+
+Possible values are "accept", "drop" or "reject".
+
+Example:
+
+::
+
+  "verdict":"drop"
+
+Verdict is the final action that will be applied to a given packet, based on all
+the signatures triggered by it. In IPS mode, all values are possible. In IDS
+mode, verdict is only present if its value is "reject".
+
 Pcap Field
 ~~~~~~~~~~
 
 If pcap log capture is active in `multi` mode, a `capture_file` key will be added to the event
 with value being the full path of the pcap file where the corresponding packets
 have been extracted.
 
+Eventy type: Verdict
+--------------------
+
+The "verdict" event indicates the final decision by the engine for a given
+packet that triggered alerts. This is especially useful for scenarios in which
+there are several alerts with different, conflicting actions, as it will state
+what was the prevailing action and whether the packet was also dropped or any
+other outcomes (as it happens with the ``reject`` action, for instance).
+
+Examples
+~~~~~~~~
+
+::
+
+   "verdict": {
+      "action": "alert"
+      "reject-target": "both"
+      "reject": [ "tcp-reset", "icmp-prohib", "user defined" ]
+   }
+
+Fields
+~~~~~~
+
+* "action": the action associated with the alert, and performed by the engine.
+  Possible values: ``alert``, ``pass``, ``drop``.
+* "reject-target": (optional) dependent on Engine mode (IDS or IPS) and type of reject
+  (cf :ref:`actions`). Possible values: ``source``, ``destination``, ``both``.
+* "reject": (optional) ``["tcp-reset", "icmp-prohib", "user defined"]`` depending on
+  flow protocol and user settings.
+
+.. note:: ``reject`` is only logged for ``reject`` rules.
+
 Event type: Anomaly
 -------------------
 
@@ -2532,4 +2589,4 @@ Example of DHCP log entry (extended logging enabled):
     "rebinding_time":43200,
     "client_id":"54:ee:75:51:e0:66",
     "dns_servers":["192.168.1.50","192.168.1.49"]
-  }
+  }
@@ -264,6 +264,19 @@ enabled, then the log gets more verbose.
 
 By using ``custom`` it is possible to select which TLS fields to log.
 
+Drops
+~~~~~
+
+Drops are event types logged when the engine drops a packet.
+
+Config::
+
+    - drop:
+        alerts: yes      # log alerts that caused drops
+        flows: all       # start or all: 'start' logs only a single drop
+                         # per flow direction. All logs each dropped pkt.
+
+
 Date modifiers in filename
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 

@@ -94,6 +94,11 @@
             "type": "string",
             "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d+[+\\-]\\d+$"
         },
+        "verdict": {
+            "type": "object",
+            "additionalProperties": true,
+            "$ref": "#/$defs/verdict_type"
+        },
         "direction": {
             "type": "string"
         },
@@ -262,6 +267,9 @@
                             "items": {
                                 "type": "string"
                             }
+                        },
+                        "verdict": {
+                            "$ref": "#/$defs/verdict_type"
                         }
                     },
                     "additionalProperties": true
@@ -1289,6 +1297,9 @@
                 },
                 "reason": {
                     "type": "string"
+                },
+                "verdict": {
+                    "$ref": "#/$defs/verdict_type"
                 }
             },
             "additionalProperties": false
@@ -5482,6 +5493,20 @@
             "$comment": "Definition for TLS date formats",
             "type": "string",
             "pattern": "^[1-2]\\d{3}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$"
+        },
+        "verdict_type": {
+            "type": "object",
+            "properties": {
+                "action": {
+                    "type": "string"
+                },
+                "reject": {
+                    "type": "string"
+                },
+                "reject-target": {
+                    "type": "string"
+                }
+            }
         }
     }
 }
@@ -427,6 +427,7 @@ noinst_HEADERS = \
 	output-json-template.h \
 	output-json-tftp.h \
 	output-json-tls.h \
+	output-json-verdict.h \
 	output-eve-syslog.h \
 	output-lua.h \
 	output-packet.h \
@@ -1036,6 +1037,7 @@ libsuricata_c_a_SOURCES = \
 	output-json-template.c \
 	output-json-tftp.c \
 	output-json-tls.c \
+	output-json-verdict.c \
 	output-eve-syslog.c \
 	output-lua.c \
 	output-packet.c \

@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2022 Open Information Security Foundation
+/* Copyright (C) 2007-2023 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free

@@ -1,4 +1,4 @@
-/* Copyright (C) 2013-2022 Open Information Security Foundation
+/* Copyright (C) 2013-2023 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -78,6 +78,7 @@
 #include "output-json-modbus.h"
 #include "output-json-frame.h"
 #include "output-json-quic.h"
+#include "output-json-verdict.h"
 
 #include "util-byte.h"
 #include "util-privs.h"
@@ -101,6 +102,7 @@
 #define LOG_JSON_HTTP_BODY_BASE64  BIT_U16(7)
 #define LOG_JSON_RULE_METADATA     BIT_U16(8)
 #define LOG_JSON_RULE              BIT_U16(9)
+#define LOG_JSON_VERDICT           BIT_U16(10)
 
 #define METADATA_DEFAULTS ( LOG_JSON_FLOW |                        \
             LOG_JSON_APP_LAYER  |                                  \
@@ -828,6 +830,10 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p)
             jb_set_string(jb, "capture_file", pcap_filename);
         }
 
+        if (json_output_ctx->flags & LOG_JSON_VERDICT) {
+            GetVerdictJsonInfo(jb, p);
+        }
+
         OutputJsonBuilderBuffer(jb, aft->ctx);
         jb_free(jb);
     }
@@ -1016,6 +1022,7 @@ static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx,
         SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
         SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
         SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
+        SetFlag(conf, "verdict", LOG_JSON_VERDICT, &flags);
 
         /* Check for obsolete flags and warn that they have no effect. */
         static const char *deprecated_flags[] = { "http", "tls", "ssh", "smtp", "dnp3", "app-layer",

@@ -1,4 +1,4 @@
-/* Copyright (C) 2013-2014 Open Information Security Foundation
+/* Copyright (C) 2013-2023 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free

@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2021 Open Information Security Foundation
+/* Copyright (C) 2007-2023 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -45,6 +45,7 @@
 #include "output-json.h"
 #include "output-json-alert.h"
 #include "output-json-drop.h"
+#include "output-json-verdict.h"
 
 #include "util-unittest.h"
 #include "util-unittest-helper.h"
@@ -60,7 +61,8 @@
 
 #define MODULE_NAME "JsonDropLog"
 
-#define LOG_DROP_ALERTS 1
+#define LOG_DROP_ALERTS  BIT_U8(1)
+#define LOG_DROP_VERDICT BIT_U8(2)
 
 typedef struct JsonDropOutputCtx_ {
     uint8_t flags;
@@ -82,7 +84,7 @@ static int g_droplog_flows_start = 1;
  * \param tv    Pointer the current thread variables
  * \param p     Pointer the packet which is being logged
  *
- * \return return TM_EODE_OK on success
+ * \return return TM_ECODE_OK on success
  */
 static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
 {
@@ -158,6 +160,10 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
     /* Close drop. */
     jb_close(js);
 
+    if (aft->drop_ctx->flags & LOG_DROP_VERDICT) {
+        GetVerdictJsonInfo(js, p);
+    }
+
     if (aft->drop_ctx->flags & LOG_DROP_ALERTS) {
         int logged = 0;
         int i;
@@ -273,7 +279,7 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_
         const char *extended = ConfNodeLookupChildValue(conf, "alerts");
         if (extended != NULL) {
             if (ConfValIsTrue(extended)) {
-                drop_ctx->flags = LOG_DROP_ALERTS;
+                drop_ctx->flags |= LOG_DROP_ALERTS;
             }
         }
         extended = ConfNodeLookupChildValue(conf, "flows");
@@ -287,6 +293,12 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_
                              "'flow' are 'start' and 'all'");
             }
         }
+        extended = ConfNodeLookupChildValue(conf, "verdict");
+        if (extended != NULL) {
+            if (ConfValIsTrue(extended)) {
+                drop_ctx->flags |= LOG_DROP_VERDICT;
+            }
+        }
     }
 
     drop_ctx->eve_ctx = ajt;
@@ -306,7 +318,7 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_
  * \param data  Pointer to the droplog struct
  * \param p     Pointer the packet which is being logged
  *
- * \retval 0 on succes
+ * \retval 0 on success
  */
 static int JsonDropLogger(ThreadVars *tv, void *thread_data, const Packet *p)
 {