[FR]IDS/IPS: Drop event logging switch and alert details #4841
Comments
|
I think there was another ticket about this a long time ago and there was some issue with solving it without side affects, so I'm a bit cautious here.... |
|
@AdSchellevis |
|
no problem, not saying we shouldn't look at this, just cautious ;) |
|
) thanks. I see the commit when it appeared but unfortunately there is no additional information why |
|
Maybe it crosses my mind one of these days, vaguely remember there was "something" with it. |
|
in any case, this is another reason to once again compare the behavior with enabled and disabled logging. I will test it for a while. thanks! |
|
This issue has been automatically timed-out (after 180 days of inactivity). For more information about the policies for this repository, If someone wants to step up and work on this issue, |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
Hi!
now if the IPS drops the packet two lines appear in the Alerts tab: one for the Alert event and the second for the Drop event.
both contain the same information although the Alert event may contain information about the payload
Describe the solution you like
could you please consider adding an Drop events logging switch. and adding debug info display for Drop events?
Thanks!
Describe alternatives you considered
Just disable drop events logging in suricata.yaml template:
`
- drop:
alerts: yes # log alerts that caused drops
flows: start # start or all: 'start' logs only a single drop
# per flow direction. All logs each dropped pkt.
`
Additional context
Add any other context or screenshots about the feature request here or links to relevant forum thread or similar
The text was updated successfully, but these errors were encountered: