Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

output/eve: add 'verdict' field to 'alert' and 'drop' events - v11 #9230

Closed
wants to merge 4 commits into from
Closed

output/eve: add 'verdict' field to 'alert' and 'drop' events - v11 #9230

wants to merge 4 commits into from

Conversation

jufajardini
Copy link
Contributor

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5464

Previous PR: #9220

Describe changes from previous PR:

  • handle UDP proto for reject
  • rename Eve verdict function
  • verdict disabled by default
  • update drop documentation (json output)
  • s/source/to_client
  • s/destination/to_server
  • update verdict schema

SV_BRANCH=pr/1314
OISF/suricata-verify#1314

Some output samples:

# IPS mode, `rejectdst` rule, TCP-reset
  "event_type": "alert",
  "src_ip": "10.16.1.11",
  "src_port": 54186,
  "dest_ip": "82.165.177.154",
  "dest_port": 80,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "blocked",
    "gid": 1,
    "signature_id": 2,
    "rev": 1,
    "signature": "",
    "category": "",
    "severity": 3
  },
  "verdict": {
    "action": "drop",
    "reject-target": "to_server",
    "reject": [
      "tcp-reset"
    ]
  }
# packet with alert and pass rules triggered:
{
 "event_type": "alert",
  "verdict": {
    "action": "pass"
  }
}

@jufajardini
misc: fix typos & update copyright years
827ba79
@jufajardini
output/alert: add verdict field
5e2f816 
Related to
Bug OISF#5464
@jufajardini
output/drop: add verdict field
01895a8 
Related to
Bug OISF#5464
@jufajardini
userguide/eve: format and reorganize alert section
b7491ad 
The `field action` portion seemed to be comprised of a more generic
section that followed it. Also formatted the section for lines to be
within the character limit.
@jufajardini jufajardini requested review from victorjulien and a team as code owners July 13, 2023 16:08
This was referenced Jul 13, 2023
Closed
Closed
@victorjulien victorjulien mentioned this pull request Jul 13, 2023
Merged
@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 15171

@victorjulien
Copy link
Member

Merged in #9233, thanks!

@jufajardini jufajardini deleted the alert-action/v10.1 branch July 14, 2023 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jufajardini @suricata-qa @victorjulien