output/drop: add verdict field

Related to Bug OISF#5464
victorjulien · Jul 13, 2023 · 0437173 · 0437173
1 parent 53b8def
commit 0437173
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 2 deletions.
diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst
@@ -264,6 +264,22 @@ enabled, then the log gets more verbose.
 
 By using ``custom`` it is possible to select which TLS fields to log.
 
+Drops
+~~~~~
+
+Drops are event types logged when the engine drops a packet.
+
+Config::
+
+    - drop:
+        alerts: yes      # log alerts that caused drops
+        flows: all       # start or all: 'start' logs only a single drop
+                         # per flow direction. All logs each dropped pkt.
+        # Enable logging the final action taken on a packet by the engine
+        # (will show more information in case of a drop caused by 'reject')
+        verdict: yes
+
+
 Date modifiers in filename
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 

diff --git a/etc/schema.json b/etc/schema.json
@@ -1292,6 +1292,9 @@
                 },
                 "reason": {
                     "type": "string"
+                },
+                "verdict": {
+                    "$ref": "#/$defs/verdict_type"
                 }
             },
             "additionalProperties": false

diff --git a/src/output-json-drop.c b/src/output-json-drop.c
@@ -60,7 +60,8 @@
 
 #define MODULE_NAME "JsonDropLog"
 
-#define LOG_DROP_ALERTS 1
+#define LOG_DROP_ALERTS  BIT_U8(1)
+#define LOG_DROP_VERDICT BIT_U8(2)
 
 typedef struct JsonDropOutputCtx_ {
     uint8_t flags;
@@ -158,6 +159,10 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
     /* Close drop. */
     jb_close(js);
 
+    if (aft->drop_ctx->flags & LOG_DROP_VERDICT) {
+        EveAddVerdict(js, p);
+    }
+
     if (aft->drop_ctx->flags & LOG_DROP_ALERTS) {
         int logged = 0;
         int i;
@@ -273,7 +278,7 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_
         const char *extended = ConfNodeLookupChildValue(conf, "alerts");
         if (extended != NULL) {
             if (ConfValIsTrue(extended)) {
-                drop_ctx->flags = LOG_DROP_ALERTS;
+                drop_ctx->flags |= LOG_DROP_ALERTS;
             }
         }
         extended = ConfNodeLookupChildValue(conf, "flows");
@@ -287,6 +292,12 @@ static OutputInitResult JsonDropLogInitCtxSub(ConfNode *conf, OutputCtx *parent_
                              "'flow' are 'start' and 'all'");
             }
         }
+        extended = ConfNodeLookupChildValue(conf, "verdict");
+        if (extended != NULL) {
+            if (ConfValIsTrue(extended)) {
+                drop_ctx->flags |= LOG_DROP_VERDICT;
+            }
+        }
     }
 
     drop_ctx->eve_ctx = ajt;

diff --git a/suricata.yaml.in b/suricata.yaml.in
@@ -262,6 +262,9 @@ outputs:
         #    alerts: yes      # log alerts that caused drops
         #    flows: all       # start or all: 'start' logs only a single drop
         #                     # per flow direction. All logs each dropped pkt.
+            # Enable logging the final action taken on a packet by the engine
+            # (will show more information in case of a drop caused by 'reject')
+            # verdict: yes
         - smtp:
             #extended: yes # enable this for extended logging information
             # this includes: bcc, message-id, subject, x_mailer, user-agent