Project

General

Profile

Actions

Bug #1177

closed

eve log do not show action 'dropped' just 'allowed'

Added by Fábio Depin over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

For all cases, be rule 'alert' or rule 'drop' or rule 'reject'
The field action, in 'eve log' is ever 'allowed'.


{"timestamp":"2014-04-10T10:02:39.874459",*"event_type":"alert"*,"src_ip":"177.207.216.168","src_port":6030,"dest_ip":"192.168.10.224","dest_port":80,"proto":"TCP","alert":{*"action":"allowed"*++,"gid":1,"signature_id":2005541,"rev":5,"signature":"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE","category":"Web Application Attack","severity":1}} {"timestamp":"2014-04-10T10:02:39.874459",*"event_type":"alert"*,"src_ip":"177.207.216.168","src_port":6030,"dest_ip":"192.168.10.224","dest_port":80,"proto":"TCP","alert":{*"action":"allowed"*++,"gid":1,"signature_id":2005541,"rev":5,"signature":"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE","category":"Web Application Attack","severity":1}} {"timestamp":"2014-04-10T10:02:39.874459",*"event_type":"alert"*,"src_ip":"177.207.216.168","src_port":6030,"dest_ip":"192.168.10.224","dest_port":80,"proto":"TCP","alert":{*"action":"allowed"*++,"gid":1,"signature_id":2006614,"rev":6,"signature":"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE","category":"Web Application Attack","severity":1}}
-------------------------------------------------------

Fixing this problem:
-------------------------------------------------------
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 55c51dd..3d2a767 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c
@ -62,7 +62,7 @

#ifdef HAVE_LIBJANSSON

-extern int engine_mode;
+extern uint8_t engine_mode;

typedef struct JsonAlertLogThread_ {
/** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
-------------------------------------------------------
Actions #1

Updated by Victor Julien over 8 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
Actions #2

Updated by Victor Julien over 8 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF