Feature #1995


fast.log should show if packet has been dropped or rejected

Added by Jan Eagleman over 7 years ago. Updated about 5 years ago.

Target version:


When managing a few thousand rules with a mixed drop/reject policy it might be useful for fast.log to show if a packet has been dropped or rejected, at the moment it can only show drop.

for example:

reject http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related"; flow:established,to_server; content:".su|0d 0a|"; http_header; pcre:"/Host\x3A\x20[^\r\n]*\x2Esu\x0D\x0A/H"; reference:url,; classtype:trojan-activity; sid:2014170; rev:2;)

Shows this in fast.log

12/21/2016-17:23:33.897239 [Drop] [**] [1:2014170:2] ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} ->

Actions #1

Updated by Jason Ish over 7 years ago

Looks like Snort does this as well with possible values being:
- Allow
- CDrop
- WDrop
- Drop
- FDrop

so breaking compatibility with Snort should not be an issue, would just want to verify some Snort output.

Reason: I think fast.log is one of the things we should stick with Snort compatibility if we can, as that is where the format is from and existing tools may be depending on it.

Actions #2

Updated by Andreas Herz over 7 years ago

I had a similiar request some time ago, wanted the "WDrop" but after some thinking I would prefer better wording. Maybe as an option to choose between snort compatible and some other?

Actions #3

Updated by Victor Julien about 7 years ago

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Priority changed from Normal to Low
  • Target version set to 70
Actions #4

Updated by Victor Julien about 5 years ago

  • Status changed from Assigned to New
  • Assignee changed from Jason Ish to Community Ticket
  • Priority changed from Low to Normal
  • Target version changed from 70 to TBD

Also available in: Atom PDF