Feature #8456
closedfirewall: source field in alert/drop events to distinguish firewall from IDS/IPS
Description
When Suricata runs in firewall mode alongside IDS/IPS detection rules, both engines emit event_type: "alert" events into EVE JSON with an identical schema. There is currently no field in the alert event that indicates whether the alert originated from a firewall rule ( accept:flow , reject:flow , etc.) or a traditional IDS/IPS rule ( alert , drop ).
This makes it impossible for downstream log consumers to programmatically distinguish between firewall policy alerts and IDS/IPS detection alerts without relying on indirect heuristics like SID ranges or signature text fields.
For context, event_type: "drop" events already have something similar drop.reason field that differentiates firewall drops (default_packet_policy, pre_stream_hook, etc.) from IDS/IPS drops (rules). Alert events lack an equivalent mechanism.
YD Updated by Yash Datre about 2 months ago
Proposed Solution
Add a new field to the alert object in EVE JSON output that identifies the source engine. For example
{
"event_type": "alert",
"alert": {
"action": "allowed",
"source": "firewall",
"signature_id": 1001,
"signature": "ICMP ping accepted",
...
}
}
Suggested values for alert.source (or alert.engine ):
"firewall" — alert generated by a firewall-mode rule
"ids" or "detection" — alert generated by a traditional IDS/IPS rule
VJ Updated by Victor Julien about 1 month ago
- Tracker changed from Bug to Feature
- Subject changed from EVE JSON: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts to firewall: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts
- Affected Versions deleted (
8.0.4)
VJ Updated by Victor Julien about 1 month ago
- Related to Feature #8479: eve/firewall: dedicated log record type added
JI Updated by Jason Ish 15 days ago
- Status changed from New to Assigned
- Assignee set to OISF Dev
- Target version changed from TBD to 9.0.0-beta1
Just a note that alert.source is already a used field, when a rule uses the target keyword. For example:
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1,
"rev": 0,
"signature": "ET EXPLOIT Selenium Server Chrome 3.141.59 Remote Code Execution",
"category": "Attempted Administrator Privilege Gain",
"severity": 1,
"source": {
"ip": "127.0.0.1",
"port": 8080
},
"target": {
"ip": "127.0.0.1",
"port": 63516
},
OT Updated by OISF Ticketbot 15 days ago
- Subtask #8544 added
OT Updated by OISF Ticketbot 15 days ago
- Label deleted (
Needs backport to 8.0)
JI Updated by Jason Ish 15 days ago
- Status changed from In Progress to In Review
Pull request: https://github.com/OISF/suricata/pull/15335
SB Updated by Shivani Bhardwaj 11 days ago
- Subject changed from firewall: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts to firewall: source field in alert/drop events to distinguish firewall from IDS/IPS
JF Updated by Juliana Fajardini Reichow 11 days ago
- Status changed from In Review to Resolved
Merged with https://github.com/OISF/suricata/pull/15370