Feature #1995
openfast.log should show if packet has been dropped or rejected
Description
When managing a few thousand rules with a mixed drop/reject policy it might be useful for fast.log to show if a packet has been dropped or rejected, at the moment it can only show drop.
for example:
reject http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related"; flow:established,to_server; content:".su|0d 0a|"; http_header; pcre:"/Host\x3A\x20[^\r\n]*\x2Esu\x0D\x0A/H"; reference:url,www.abuse.ch/?p=3581; classtype:trojan-activity; sid:2014170; rev:2;)
Shows this in fast.log
12/21/2016-17:23:33.897239 [Drop] [**] [1:2014170:2] ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 192.168.2.12:12507 -> 104.25.73.38:80
Updated by Jason Ish over 7 years ago
Looks like Snort does this as well with possible values being:
- Allow
- CDrop
- WDrop
- Drop
- FDrop
so breaking compatibility with Snort should not be an issue, would just want to verify some Snort output.
Reason: I think fast.log is one of the things we should stick with Snort compatibility if we can, as that is where the format is from and existing tools may be depending on it.
Updated by Andreas Herz over 7 years ago
I had a similiar request some time ago, wanted the "WDrop" but after some thinking I would prefer better wording. Maybe as an option to choose between snort compatible and some other?
Updated by Victor Julien about 7 years ago
- Status changed from New to Assigned
- Assignee set to Jason Ish
- Priority changed from Normal to Low
- Target version set to 70
Updated by Victor Julien about 5 years ago
- Status changed from Assigned to New
- Assignee changed from Jason Ish to Community Ticket
- Priority changed from Low to Normal
- Target version changed from 70 to TBD