output/drop: add verdict field

Related to Bug OISF#5464 (cherry picked from commit 0437173)
jufajardini · Aug 1, 2023 · 5eeb815 · 5eeb815
1 parent 8ef2940
commit 5eeb815
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 3 deletions.
diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
@@ -288,6 +288,22 @@ enabled, then the log gets more verbose.
 
 By using ``custom`` it is possible to select which TLS fields to log.
 
+Drops
+~~~~~
+
+Drops are event types logged when the engine drops a packet.
+
+Config::
+
+    - drop:
+        alerts: yes      # log alerts that caused drops
+        flows: all       # start or all: 'start' logs only a single drop
+                         # per flow direction. All logs each dropped pkt.
+        # Enable logging the final action taken on a packet by the engine
+        # (will show more information in case of a drop caused by 'reject')
+        verdict: yes
+
+
 Date modifiers in filename
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 

diff --git a/src/output-json-drop.c b/src/output-json-drop.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2020 Open Information Security Foundation
+/* Copyright (C) 2007-2023 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -58,7 +58,8 @@
 
 #define MODULE_NAME "JsonDropLog"
 
-#define LOG_DROP_ALERTS 1
+#define LOG_DROP_ALERTS  BIT_U8(1)
+#define LOG_DROP_VERDICT BIT_U8(2)
 
 typedef struct JsonDropOutputCtx_ {
     LogFileCtx *file_ctx;
@@ -155,6 +156,10 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
     /* Close drop. */
     jb_close(js);
 
+    if (aft->drop_ctx->flags & LOG_DROP_VERDICT) {
+        EveAddVerdict(js, p);
+    }
+
     if (aft->drop_ctx->flags & LOG_DROP_ALERTS) {
         int logged = 0;
         int i;
@@ -280,7 +285,7 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_
         const char *extended = ConfNodeLookupChildValue(conf, "alerts");
         if (extended != NULL) {
             if (ConfValIsTrue(extended)) {
-                drop_ctx->flags = LOG_DROP_ALERTS;
+                drop_ctx->flags |= LOG_DROP_ALERTS;
             }
         }
         extended = ConfNodeLookupChildValue(conf, "flows");
@@ -294,6 +299,12 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_
                         "'flow' are 'start' and 'all'");
             }
         }
+        extended = ConfNodeLookupChildValue(conf, "verdict");
+        if (extended != NULL) {
+            if (ConfValIsTrue(extended)) {
+                drop_ctx->flags |= LOG_DROP_VERDICT;
+            }
+        }
     }
 
     drop_ctx->file_ctx = ajt->file_ctx;

diff --git a/suricata.yaml.in b/suricata.yaml.in
@@ -254,6 +254,9 @@ outputs:
         #    alerts: yes      # log alerts that caused drops
         #    flows: all       # start or all: 'start' logs only a single drop
         #                     # per flow direction. All logs each dropped pkt.
+        #    verdict: yes     # Enable logging the final action taken on a packet
+                              # by the engine (will show more information in case
+                              # of a drop caused by 'reject')
         - smtp:
             #extended: yes # enable this for extended logging information
             # this includes: bcc, message-id, subject, x_mailer, user-agent