From 5d31f86e8582f55b364e6e826f64df539deb3f56 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Thu, 22 Dec 2022 21:19:18 -0300 Subject: [PATCH 1/6] userguide/eve: add section about drop event type --- doc/userguide/output/eve/eve-json-output.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst index c6d7ec395166..90a1bb2b9552 100644 --- a/doc/userguide/output/eve/eve-json-output.rst +++ b/doc/userguide/output/eve/eve-json-output.rst @@ -264,6 +264,19 @@ enabled, then the log gets more verbose. By using ``custom`` it is possible to select which TLS fields to log. +Drops +~~~~~ + +Drops are event types logged when the engine drops a packet. + +Config:: + + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + + Date modifiers in filename ~~~~~~~~~~~~~~~~~~~~~~~~~~ From 048f8fd430e4e6ce91db9f6e1f28efa6348dfb44 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Thu, 5 Jan 2023 18:24:40 -0300 Subject: [PATCH 2/6] misc: fix typos & update copyright years --- src/decode.c | 2 +- src/output-json-alert.c | 2 +- src/output-json-alert.h | 2 +- src/output-json-drop.c | 6 +++--- src/output-json.c | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/decode.c b/src/decode.c index 2e4c448eb7b7..a91ea2606694 100644 --- a/src/decode.c +++ b/src/decode.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2022 Open Information Security Foundation +/* Copyright (C) 2007-2023 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free diff --git a/src/output-json-alert.c b/src/output-json-alert.c index e0ea7545ab97..b494d4d19568 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2013-2022 Open Information Security Foundation +/* Copyright (C) 2013-2023 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free diff --git a/src/output-json-alert.h b/src/output-json-alert.h index 0a5af4268a09..5aaa034953f1 100644 --- a/src/output-json-alert.h +++ b/src/output-json-alert.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2013-2014 Open Information Security Foundation +/* Copyright (C) 2013-2023 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free diff --git a/src/output-json-drop.c b/src/output-json-drop.c index 4e6048b53336..725b27a14ca9 100644 --- a/src/output-json-drop.c +++ b/src/output-json-drop.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2021 Open Information Security Foundation +/* Copyright (C) 2007-2023 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -82,7 +82,7 @@ static int g_droplog_flows_start = 1; * \param tv Pointer the current thread variables * \param p Pointer the packet which is being logged * - * \return return TM_EODE_OK on success + * \return return TM_ECODE_OK on success */ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p) { @@ -306,7 +306,7 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ * \param data Pointer to the droplog struct * \param p Pointer the packet which is being logged * - * \retval 0 on succes + * \retval 0 on success */ static int JsonDropLogger(ThreadVars *tv, void *thread_data, const Packet *p) { diff --git a/src/output-json.c b/src/output-json.c index 95a6e5ef4c25..de176e632313 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2021 Open Information Security Foundation +/* Copyright (C) 2007-2023 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free From d0cce2ba6fb669d0c894996cbc968b9ae416aa6f Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Wed, 5 Jul 2023 12:52:53 -0300 Subject: [PATCH 3/6] output/alert: add verdict field Related to Bug #5464 --- etc/schema.json | 29 +++++++++++++++++++++ src/output-json-alert.c | 56 +++++++++++++++++++++++++++++++++++++++++ src/output-json-alert.h | 1 + suricata.yaml.in | 4 +++ 4 files changed, 90 insertions(+) diff --git a/etc/schema.json b/etc/schema.json index 32510a6198fa..285ba3068759 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -94,6 +94,9 @@ "type": "string", "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d+[+\\-]\\d+$" }, + "verdict": { + "$ref": "#/$defs/verdict_type" + }, "direction": { "type": "string" }, @@ -5393,6 +5396,32 @@ "$comment": "Definition for TLS date formats", "type": "string", "pattern": "^[1-2]\\d{3}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$" + }, + "verdict_type": { + "type": "object", + "properties": { + "action": { + "type": "string" + }, + "reject": { + "type": "array", + "oneOf": [ + { + "properties": { + "icmp-proihib": { + "type": "string" + }, + "tcp-reset": { + "type": "string" + } + } + } + ] + }, + "reject_target": { + "type": "string" + } + } } } } diff --git a/src/output-json-alert.c b/src/output-json-alert.c index b494d4d19568..67eae7d034c1 100644 --- a/src/output-json-alert.c +++ b/src/output-json-alert.c @@ -101,6 +101,7 @@ #define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7) #define LOG_JSON_RULE_METADATA BIT_U16(8) #define LOG_JSON_RULE BIT_U16(9) +#define LOG_JSON_VERDICT BIT_U16(10) #define METADATA_DEFAULTS ( LOG_JSON_FLOW | \ LOG_JSON_APP_LAYER | \ @@ -665,6 +666,56 @@ static void AlertAddFrame(const Packet *p, JsonBuilder *jb, const int64_t frame_ } } +/** + * \brief Build verdict object + * + * \param p Pointer to Packet current being logged + * + */ +void GetVerdictJson(JsonBuilder *jb, const Packet *p) +{ + jb_open_object(jb, "verdict"); + + /* add verdict info */ + if (PacketCheckAction(p, ACTION_REJECT_ANY)) { + // check rule to define type of reject packet sent + if (EngineModeIsIPS()) { + JB_SET_STRING(jb, "action", "drop"); + } else { + JB_SET_STRING(jb, "action", "alert"); + } + if (PacketCheckAction(p, ACTION_REJECT)) { + JB_SET_STRING(jb, "reject_target", "source"); + } else if (PacketCheckAction(p, ACTION_REJECT_DST)) { + JB_SET_STRING(jb, "reject_target", "destination"); + } else if (PacketCheckAction(p, ACTION_REJECT_BOTH)) { + JB_SET_STRING(jb, "reject_target", "both"); + } + jb_open_array(jb, "reject"); + switch (p->proto) { + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + jb_append_string(jb, "icmp-prohib"); + break; + case IPPROTO_TCP: + jb_append_string(jb, "tcp-reset"); + break; + } + jb_close(jb); + + } else if (PacketCheckAction(p, ACTION_DROP) && EngineModeIsIPS()) { + JB_SET_STRING(jb, "action", "drop"); + } else if (PacketCheckAction(p, ACTION_PASS)) { + JB_SET_STRING(jb, "action", "pass"); + } else { + // TODO make sure we don't have a situation where this wouldn't work + JB_SET_STRING(jb, "action", "alert"); + } + + /* Close verdict */ + jb_close(jb); +} + static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) { MemBuffer *payload = aft->payload_buffer; @@ -828,6 +879,10 @@ static int AlertJson(ThreadVars *tv, JsonAlertLogThread *aft, const Packet *p) jb_set_string(jb, "capture_file", pcap_filename); } + if (json_output_ctx->flags & LOG_JSON_VERDICT) { + GetVerdictJson(jb, p); + } + OutputJsonBuilderBuffer(jb, aft->ctx); jb_free(jb); } @@ -1016,6 +1071,7 @@ static void JsonAlertLogSetupMetadata(AlertJsonOutputCtx *json_output_ctx, SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags); SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags); SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags); + SetFlag(conf, "verdict", LOG_JSON_VERDICT, &flags); /* Check for obsolete flags and warn that they have no effect. */ static const char *deprecated_flags[] = { "http", "tls", "ssh", "smtp", "dnp3", "app-layer", diff --git a/src/output-json-alert.h b/src/output-json-alert.h index 5aaa034953f1..dcf4921c442b 100644 --- a/src/output-json-alert.h +++ b/src/output-json-alert.h @@ -30,6 +30,7 @@ void JsonAlertLogRegister(void); void AlertJsonHeader(void *ctx, const Packet *p, const PacketAlert *pa, JsonBuilder *js, uint16_t flags, JsonAddrInfo *addr, char *xff_buffer); +void GetVerdictJson(JsonBuilder *jb, const Packet *p); #endif /* __OUTPUT_JSON_ALERT_H__ */ diff --git a/suricata.yaml.in b/suricata.yaml.in index af7ad5344b72..c926b4b1107e 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -168,6 +168,10 @@ outputs: # Enable the logging of tagged packets for rules using the # "tag" keyword. tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + verdict: yes # app layer frames - frame: # disabled by default as this is very verbose. From b0c5bba10d33175f88c9209c45b16eb13bfa623b Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Tue, 4 Jul 2023 21:37:27 -0300 Subject: [PATCH 4/6] output/drop: add verdict field Related to Bug #5464 --- etc/schema.json | 3 +++ src/output-json-drop.c | 15 +++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/etc/schema.json b/etc/schema.json index 285ba3068759..f560796e3112 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -1292,6 +1292,9 @@ }, "reason": { "type": "string" + }, + "verdict": { + "$ref": "#/$defs/verdict_type" } }, "additionalProperties": false diff --git a/src/output-json-drop.c b/src/output-json-drop.c index 725b27a14ca9..f06dcb62cfc3 100644 --- a/src/output-json-drop.c +++ b/src/output-json-drop.c @@ -60,7 +60,8 @@ #define MODULE_NAME "JsonDropLog" -#define LOG_DROP_ALERTS 1 +#define LOG_DROP_ALERTS BIT_U8(1) +#define LOG_DROP_VERDICT BIT_U8(2) typedef struct JsonDropOutputCtx_ { uint8_t flags; @@ -158,6 +159,10 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p) /* Close drop. */ jb_close(js); + if (aft->drop_ctx->flags & LOG_DROP_VERDICT) { + GetVerdictJson(js, p); + } + if (aft->drop_ctx->flags & LOG_DROP_ALERTS) { int logged = 0; int i; @@ -273,7 +278,7 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ const char *extended = ConfNodeLookupChildValue(conf, "alerts"); if (extended != NULL) { if (ConfValIsTrue(extended)) { - drop_ctx->flags = LOG_DROP_ALERTS; + drop_ctx->flags |= LOG_DROP_ALERTS; } } extended = ConfNodeLookupChildValue(conf, "flows"); @@ -287,6 +292,12 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_ "'flow' are 'start' and 'all'"); } } + extended = ConfNodeLookupChildValue(conf, "verdict"); + if (extended != NULL) { + if (ConfValIsTrue(extended)) { + drop_ctx->flags |= LOG_DROP_VERDICT; + } + } } drop_ctx->eve_ctx = ajt; From 5825647fc177b56425da38149ac1e1e35544698e Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Thu, 22 Dec 2022 20:47:24 -0300 Subject: [PATCH 5/6] userguide/eve: format and reorganize alert section The `field action` portion seemed to be comprised of a more generic section that followed it. Also formatted the section for lines to be within the character limit. --- doc/userguide/output/eve/eve-json-format.rst | 67 +++++++++++++++----- 1 file changed, 52 insertions(+), 15 deletions(-) diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst index 978d5cbfa24d..c7a1df71317d 100644 --- a/doc/userguide/output/eve/eve-json-format.rst +++ b/doc/userguide/output/eve/eve-json-format.rst @@ -89,23 +89,17 @@ generated the event. Event type: Alert ----------------- -Field action -~~~~~~~~~~~~ - -Possible values: "allowed" and "blocked" - -Example: - -:: - - - "action":"allowed" +This field contains data about a signature that matched, such as +``signature_id`` (``sid`` in the rule) and the ``signature`` (``msg`` in the +rule). -Action is set to "allowed" unless a rule used the "drop" action and Suricata is in IPS mode, or when the rule used the "reject" action. - -It can also contain information about Source and Target of the attack in the alert.source and alert.target field if target keyword is used in +It can also contain information about Source and Target of the attack in the +``alert.source`` and ``alert.target`` field if target keyword is used in the signature. +This event will also have the ``pcap_cnt`` field, when running in pcap mode, to +indicate which packet triggered the signature. + :: "alert": { @@ -147,6 +141,49 @@ the signature. } }, +Action field +~~~~~~~~~~~~ + +Possible values: "allowed" and "blocked". + +Example: + +:: + + "action":"allowed" + +Action is set to "allowed" unless a rule used the "drop" action and Suricata is +in IPS mode, or when the rule used the "reject" action. It is important to note +that this does not necessarily indicate the final verdict for a given packet or +flow, since one packet may match on several rules. + +.. _verdict-alert: + +Verdict +~~~~~~~ + +An object containning info on the final action that will be applied to a given +packet, based on all the signatures triggered by it and other possible events +(e.g., a flow drop). For that reason, it is possible for an alert with +an action ``allowed`` to have a verdict ``drop``, in IPS mode, for instance, if +that packet was dropped due to a different alert. + +* Action: ``alert``, ``pass``, ``drop`` (this latter only occurs in IPS mode) +* Reject-target: ``destination``, ``source``, ``both`` (only occurs for 'reject' rules) +* Reject: an array of strings with possible reject types: ``tcp-reset``, + ``icmp-prohib`` (only occurs for 'reject' rules) + +Example: + +:: + + "verdict": { + "action": "drop", + "reject-target": "source", + "reject": "[icmp-prohib]" + } + + Pcap Field ~~~~~~~~~~ @@ -2532,4 +2569,4 @@ Example of DHCP log entry (extended logging enabled): "rebinding_time":43200, "client_id":"54:ee:75:51:e0:66", "dns_servers":["192.168.1.50","192.168.1.49"] - } \ No newline at end of file + } From 40d30edccd6d3ef279af19b0b0d75a60693c41d8 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Tue, 11 Jul 2023 19:00:53 -0300 Subject: [PATCH 6/6] detect/alert: flag packets with PASS action If packet->action is never set to 'pass', we won't know if a packet had a 'pass' verdict. Related to Bug #5464 --- src/detect-engine-alert.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index f9cbed1564c5..e2f7ebe58855 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -416,6 +416,7 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx /* pass "alert" found, we're done */ if (pa->action & ACTION_PASS) { + p->action |= ACTION_PASS; break; } p->alerts.cnt++;