Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

next/89/20230713/v1 #9233

Merged
merged 7 commits into from
Jul 14, 2023
Merged

next/89/20230713/v1 #9233

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
789353b
util/mime: skip over any invalid char
inashivb Jul 11, 2023
d9c430d
misc: fix typos & update copyright years
jufajardini Jan 5, 2023
53b8def
output/alert: add verdict field
jufajardini Jul 5, 2023
0437173
output/drop: add verdict field
jufajardini Jul 5, 2023
9900bdc
userguide/eve: format and reorganize alert section
jufajardini Dec 22, 2022
0068b81
rust: update cargo.lock
victorjulien Jul 13, 2023
d4e674b
rust: fix clippy warnings
inashivb Jul 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 52 additions & 15 deletions doc/userguide/output/eve/eve-json-format.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,23 +89,17 @@ generated the event.
Event type: Alert
-----------------

Field action
~~~~~~~~~~~~

Possible values: "allowed" and "blocked"

Example:

::


"action":"allowed"
This field contains data about a signature that matched, such as
``signature_id`` (``sid`` in the rule) and the ``signature`` (``msg`` in the
rule).

Action is set to "allowed" unless a rule used the "drop" action and Suricata is in IPS mode, or when the rule used the "reject" action.

It can also contain information about Source and Target of the attack in the alert.source and alert.target field if target keyword is used in
It can also contain information about Source and Target of the attack in the
``alert.source`` and ``alert.target`` field if target keyword is used in
the signature.

This event will also have the ``pcap_cnt`` field, when running in pcap mode, to
indicate which packet triggered the signature.

::

"alert": {
Expand Down Expand Up @@ -147,6 +141,49 @@ the signature.
}
},

Action field
~~~~~~~~~~~~

Possible values: "allowed" and "blocked".

Example:

::

"action":"allowed"

Action is set to "allowed" unless a rule used the "drop" action and Suricata is
in IPS mode, or when the rule used the "reject" action. It is important to note
that this does not necessarily indicate the final verdict for a given packet or
flow, since one packet may match on several rules.

.. _verdict-alert:

Verdict
~~~~~~~

An object containning info on the final action that will be applied to a given
packet, based on all the signatures triggered by it and other possible events
(e.g., a flow drop). For that reason, it is possible for an alert with
an action ``allowed`` to have a verdict ``drop``, in IPS mode, for instance, if
that packet was dropped due to a different alert.

* Action: ``alert``, ``pass``, ``drop`` (this latter only occurs in IPS mode)
* Reject-target: ``to_server``, ``to_client``, ``both`` (only occurs for 'reject' rules)
* Reject: an array of strings with possible reject types: ``tcp-reset``,
``icmp-prohib`` (only occurs for 'reject' rules)

Example:

::

"verdict": {
"action": "drop",
"reject-target": "to_client",
"reject": "[icmp-prohib]"
}


Pcap Field
~~~~~~~~~~

Expand Down Expand Up @@ -2532,4 +2569,4 @@ Example of DHCP log entry (extended logging enabled):
"rebinding_time":43200,
"client_id":"54:ee:75:51:e0:66",
"dns_servers":["192.168.1.50","192.168.1.49"]
}
}
16 changes: 16 additions & 0 deletions doc/userguide/output/eve/eve-json-output.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,22 @@ enabled, then the log gets more verbose.

By using ``custom`` it is possible to select which TLS fields to log.

Drops
~~~~~

Drops are event types logged when the engine drops a packet.

Config::

- drop:
alerts: yes # log alerts that caused drops
flows: all # start or all: 'start' logs only a single drop
# per flow direction. All logs each dropped pkt.
# Enable logging the final action taken on a packet by the engine
# (will show more information in case of a drop caused by 'reject')
verdict: yes


Date modifiers in filename
~~~~~~~~~~~~~~~~~~~~~~~~~~

Expand Down
40 changes: 40 additions & 0 deletions etc/schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,9 @@
"type": "string",
"pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d+[+\\-]\\d+$"
},
"verdict": {
"$ref": "#/$defs/verdict_type"
},
"direction": {
"type": "string"
},
Expand Down Expand Up @@ -1289,6 +1292,9 @@
},
"reason": {
"type": "string"
},
"verdict": {
"$ref": "#/$defs/verdict_type"
}
},
"additionalProperties": false
Expand Down Expand Up @@ -5393,6 +5399,40 @@
"$comment": "Definition for TLS date formats",
"type": "string",
"pattern": "^[1-2]\\d{3}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$"
},
"verdict_type": {
"type": "object",
"properties": {
"action": {
"type": "string"
},
"reject": {
"type": "array",
"items": {
"type": "string",
"oneOf": [
{
"enum": [
"icmp-prohib",
"tcp-reset"
]
}
]
}
},
"reject-target": {
"type": "string",
"oneOf": [
{
"enum": [
"to_client",
"to_server",
"both"
]
}
]
}
}
}
}
}
Loading
Loading