Actions
Feature #7888
openadd app_proto to all event_type
Description
There is a regression between Suricata 7 and Suricata 8. The app_proto was logged in almost all events in 7 and is only log in a small subset (fileinfo, flow, frame, netflow) in 8.
This could trigger problem for people who have dashboards or search using this key. Also there is a interest in this information in case of protocol upgrade. For example in the case of TLS, it is useful to know that the TLS session is an upgrade of a previous session to avoid thinking this is an anomaly.
Updated by Eric Leblond 7 days ago
- Status changed from In Progress to In Review
Proposal here: https://github.com/OISF/suricata/pull/13810
Updated by Eric Leblond 7 days ago
- Tracker changed from Bug to Feature
- Subject changed from app_proto is absent from most event_type to add app_proto to all event_type
- Affected Versions deleted (
8.0.0, 8.0.1)
Updated by Eric Leblond 7 days ago
This is not a regression. I've tested with a 7.0.x and a 8.0.x and they behave similarly. I had a patch on the 7.0.x I used to test data format that was bringing more app_proto logging.
Actions