Feature #6210
open
outputs: add verdict event type
Added by Juliana Fajardini Reichow 10 months ago.
Updated 8 months ago.
Description
We're soon to have a verdict logged out with alerts and drops, but we think there is
value in adding that as an independent field, too, to log more situations that affect packets.
- Related to Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigious added
I think the event type should be disabled by default, similar to the "drop" event type.
When it is enabled, it should default to logging for packets that:
1. have alerts
2. had a new pass action trigger (so the first pass if a flow pass was set)
3. had a new drop action trigger (so the first drop if a flow drop was set)
4. a bypass is triggered
Optionally, it should log for each packet that is dropped or "passed".
- Priority changed from Normal to Low
- Priority changed from Low to Normal
- Target version changed from 7.0.1 to 8.0.0-beta1
Retarget to 8. Can consider backport.
Also available in: Atom
PDF