Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

output/eve: add 'verdict' field to 'alert' and 'drop' events - v2 #8347

Closed
wants to merge 5 commits into from
Closed

output/eve: add 'verdict' field to 'alert' and 'drop' events - v2 #8347

wants to merge 5 commits into from

Conversation

jufajardini
Copy link
Contributor

@jufajardini jufajardini commented Jan 5, 2023
edited

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5464

Previous PR: #8318

Changes from last PR:

  • make action field optional
  • add verdict field as a mandatory field for alert and drop events
  • fix verdict entry in the outputs section to list actually logged values
  • add documentation entries for drop event
  • format and reorganize alert eve section

suricata-verify-pr: 1057
OISF/suricata-verify#1057

@jufajardini
output/eve: add verdict field w final packet action
2fdf2f2 
The eve logs have a field alert.action that will say something like
'allowed' even if a packet gets blocked by some other rule. To make
this less ambiguous, added a field to the alert and drop events
indicating the final verdict by the engine for a given packet.

Bug OISF#5464
@jufajardini
userguide/eve: format and reorganize alert section
f95165d 
The `field action` portion seemed to be comprised of a more generic
section that followed it. Also formatted the section for lines to be
within the character limit.
@jufajardini
userguide/eve: add section about drop event type
af40f1f
@jufajardini
output/alert: make action field optional
9faab94 
This field has caused confusion when packets or flows match on rules
with different actions, therefore resulting in conflicting 'action'
logged out.

Make this optional after the inclusion of the [final] 'verdict' field,
which indicates the actual action performed.

Bug OISF#5464
@jufajardini
output/drop: fix typos
7dd07c1
@jufajardini jufajardini mentioned this pull request Jan 5, 2023
Closed
@suricata-qa
Copy link

WARNING:

field baseline test %
build_asan

Pipeline 11389

@jufajardini jufajardini mentioned this pull request Jan 5, 2023
Closed
@jufajardini
Copy link
Contributor Author

Replaced by #8348 as this has an error in the global variable name.

@jufajardini jufajardini closed this Jan 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
2 participants
@jufajardini @suricata-qa