-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
output/eve: add 'verdict' field to 'alert' and 'drop' events - v8 #9162
Closed
Closed
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
412c08c
userguide/eve: add section about drop event type
jufajardini a0509c0
misc: fix typos & update copyright years
jufajardini 1fa4c22
output: add verdict as an event type
jufajardini 6615f84
output/alert: add verdict field
jufajardini aa205da
outputs/drop: add verdict field
jufajardini 24c9bf8
userguide/eve: format and reorganize alert section
jufajardini File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -89,23 +89,17 @@ generated the event. | |
Event type: Alert | ||
----------------- | ||
|
||
Field action | ||
~~~~~~~~~~~~ | ||
|
||
Possible values: "allowed" and "blocked" | ||
|
||
Example: | ||
|
||
:: | ||
This field contains data about a signature that matched, such as | ||
``signature_id`` (``sid`` in the rule) and the ``signature`` (``msg`` in the | ||
rule). | ||
|
||
|
||
"action":"allowed" | ||
|
||
Action is set to "allowed" unless a rule used the "drop" action and Suricata is in IPS mode, or when the rule used the "reject" action. | ||
|
||
It can also contain information about Source and Target of the attack in the alert.source and alert.target field if target keyword is used in | ||
It can also contain information about Source and Target of the attack in the | ||
``alert.source`` and ``alert.target`` field if target keyword is used in | ||
the signature. | ||
|
||
This event will also have the ``pcap_cnt`` field, when running in pcap mode, to | ||
indicate which packet triggered the signature. | ||
|
||
:: | ||
|
||
"alert": { | ||
|
@@ -147,13 +141,76 @@ the signature. | |
} | ||
}, | ||
|
||
Action field | ||
~~~~~~~~~~~~ | ||
|
||
Possible values: "allowed" and "blocked". | ||
|
||
Example: | ||
|
||
:: | ||
|
||
"action":"allowed" | ||
|
||
Action is set to "allowed" unless a rule used the "drop" action and Suricata is | ||
in IPS mode, or when the rule used the "reject" action. It is important to note | ||
that this does not necessarily indicate the final verdict for a given packet or | ||
flow, since one packet may match on several rules. | ||
|
||
Verdict Field | ||
~~~~~~~~~~~~~ | ||
|
||
Possible values are "accept", "drop" or "reject". | ||
|
||
Example: | ||
|
||
:: | ||
|
||
"verdict":"drop" | ||
|
||
Verdict is the final action that will be applied to a given packet, based on all | ||
the signatures triggered by it. In IPS mode, all values are possible. In IDS | ||
mode, verdict is only present if its value is "reject". | ||
|
||
Pcap Field | ||
~~~~~~~~~~ | ||
|
||
If pcap log capture is active in `multi` mode, a `capture_file` key will be added to the event | ||
with value being the full path of the pcap file where the corresponding packets | ||
have been extracted. | ||
|
||
Eventy type: Verdict | ||
-------------------- | ||
|
||
The "verdict" event indicates the final decision by the engine for a given | ||
packet that triggered alerts. This is especially useful for scenarios in which | ||
there are several alerts with different, conflicting actions, as it will state | ||
what was the prevailing action and whether the packet was also dropped or any | ||
other outcomes (as it happens with the ``reject`` action, for instance). | ||
|
||
Examples | ||
~~~~~~~~ | ||
|
||
:: | ||
|
||
"verdict": { | ||
"action": "alert" | ||
"reject-target": "both" | ||
"reject": [ "tcp-reset", "icmp-prohib", "user defined" ] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. the value here should be a json array of strings |
||
} | ||
|
||
Fields | ||
~~~~~~ | ||
|
||
* "action": the action associated with the alert, and performed by the engine. | ||
Possible values: ``alert``, ``pass``, ``drop``. | ||
* "reject-target": (optional) dependent on Engine mode (IDS or IPS) and type of reject | ||
(cf :ref:`actions`). Possible values: ``source``, ``destination``, ``both``. | ||
* "reject": (optional) ``["tcp-reset", "icmp-prohib", "user defined"]`` depending on | ||
flow protocol and user settings. | ||
|
||
.. note:: ``reject`` is only logged for ``reject`` rules. | ||
|
||
Event type: Anomaly | ||
------------------- | ||
|
||
|
@@ -2532,4 +2589,4 @@ Example of DHCP log entry (extended logging enabled): | |
"rebinding_time":43200, | ||
"client_id":"54:ee:75:51:e0:66", | ||
"dns_servers":["192.168.1.50","192.168.1.49"] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
/* Copyright (C) 2007-2021 Open Information Security Foundation | ||
/* Copyright (C) 2007-2023 Open Information Security Foundation | ||
* | ||
* You can copy, redistribute or modify this Program under the terms of | ||
* the GNU General Public License version 2 as published by the Free | ||
|
@@ -45,6 +45,7 @@ | |
#include "output-json.h" | ||
#include "output-json-alert.h" | ||
#include "output-json-drop.h" | ||
#include "output-json-verdict.h" | ||
|
||
#include "util-unittest.h" | ||
#include "util-unittest-helper.h" | ||
|
@@ -60,7 +61,8 @@ | |
|
||
#define MODULE_NAME "JsonDropLog" | ||
|
||
#define LOG_DROP_ALERTS 1 | ||
#define LOG_DROP_ALERTS BIT_U8(1) | ||
#define LOG_DROP_VERDICT BIT_U8(2) | ||
|
||
Comment on lines
-63
to
+65
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Changed this, tried adding the flows start/all option here, but led to failures. Can make this a TODO. |
||
typedef struct JsonDropOutputCtx_ { | ||
uint8_t flags; | ||
|
@@ -82,7 +84,7 @@ static int g_droplog_flows_start = 1; | |
* \param tv Pointer the current thread variables | ||
* \param p Pointer the packet which is being logged | ||
* | ||
* \return return TM_EODE_OK on success | ||
* \return return TM_ECODE_OK on success | ||
*/ | ||
static int DropLogJSON (JsonDropLogThread *aft, const Packet *p) | ||
{ | ||
|
@@ -158,6 +160,10 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p) | |
/* Close drop. */ | ||
jb_close(js); | ||
|
||
if (aft->drop_ctx->flags & LOG_DROP_VERDICT) { | ||
GetVerdictJsonInfo(js, p); | ||
} | ||
|
||
if (aft->drop_ctx->flags & LOG_DROP_ALERTS) { | ||
int logged = 0; | ||
int i; | ||
|
@@ -273,7 +279,7 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ | |
const char *extended = ConfNodeLookupChildValue(conf, "alerts"); | ||
if (extended != NULL) { | ||
if (ConfValIsTrue(extended)) { | ||
drop_ctx->flags = LOG_DROP_ALERTS; | ||
drop_ctx->flags |= LOG_DROP_ALERTS; | ||
} | ||
} | ||
extended = ConfNodeLookupChildValue(conf, "flows"); | ||
|
@@ -287,6 +293,12 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ | |
"'flow' are 'start' and 'all'"); | ||
} | ||
} | ||
extended = ConfNodeLookupChildValue(conf, "verdict"); | ||
if (extended != NULL) { | ||
if (ConfValIsTrue(extended)) { | ||
drop_ctx->flags |= LOG_DROP_VERDICT; | ||
} | ||
} | ||
} | ||
|
||
drop_ctx->eve_ctx = ajt; | ||
|
@@ -306,7 +318,7 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ | |
* \param data Pointer to the droplog struct | ||
* \param p Pointer the packet which is being logged | ||
* | ||
* \retval 0 on succes | ||
* \retval 0 on success | ||
*/ | ||
static int JsonDropLogger(ThreadVars *tv, void *thread_data, const Packet *p) | ||
{ | ||
|
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is not a field, but an object containing other fields, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, I was seeing it as a field because it's part of 'alert', but... that's indeed wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also: update description, there are more fields in verdict now.