Task #7350
closedfirewall usecase: log app-layer metadata for for catch-all drop rules
Description
As documented in #7199, Suricata up to version 7.0.4 or so (check) would always log tx-id for a catch-all drop rule as shown in #7199. Latest Suricata 7 won't log any app-layer metadata in this case, as Suricata can't be sure its logging the correct data, and no extra data is better than logging the wrong data.
However, this is not ideal for the application firewall use cases where having data about what you are dropping is important. For example, if allow-listing a set of URLs, then dropping all others, it would be ideal have the HTTP app-layer metadata in the drop logs.
This ticket is to discuss how this use case can be better supported, as we believe the fix in #6846 to be correct.
Some cases are possibly simpler, like when there has only been on transaction recorded, but it gets trickier if there are more.
JI Updated by Jason Ish over 1 year ago
- Related to Bug #6846: eve/alerts: wrongly using tx id 0 when there is no tx added
JI Updated by Jason Ish over 1 year ago
- Related to Bug #7199: detect: missing app-layer metadata in alerts added
JI Updated by Jason Ish over 1 year ago
- Related to Story #7164: usecase: improve firewall usecase added
JI Updated by Jason Ish over 1 year ago
- Description updated (diff)
PA Updated by Philippe Antoine over 1 year ago
- Status changed from New to In Review
- Target version changed from TBD to 8.0.0-beta1
PA Updated by Philippe Antoine over 1 year ago
- Status changed from In Review to Closed