Feature #8456
openfirewall: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts
Description
When Suricata runs in firewall mode alongside IDS/IPS detection rules, both engines emit event_type: "alert" events into EVE JSON with an identical schema. There is currently no field in the alert event that indicates whether the alert originated from a firewall rule ( accept:flow , reject:flow , etc.) or a traditional IDS/IPS rule ( alert , drop ).
This makes it impossible for downstream log consumers to programmatically distinguish between firewall policy alerts and IDS/IPS detection alerts without relying on indirect heuristics like SID ranges or signature text fields.
For context, event_type: "drop" events already have something similar drop.reason field that differentiates firewall drops (default_packet_policy, pre_stream_hook, etc.) from IDS/IPS drops (rules). Alert events lack an equivalent mechanism.
YD Updated by Yash Datre 22 days ago
Proposed Solution
Add a new field to the alert object in EVE JSON output that identifies the source engine. For example
{
"event_type": "alert",
"alert": {
"action": "allowed",
"source": "firewall",
"signature_id": 1001,
"signature": "ICMP ping accepted",
...
}
}
Suggested values for alert.source (or alert.engine ):
"firewall" — alert generated by a firewall-mode rule
"ids" or "detection" — alert generated by a traditional IDS/IPS rule
VJ Updated by Victor Julien 14 days ago
- Tracker changed from Bug to Feature
- Subject changed from EVE JSON: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts to firewall: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts
- Affected Versions deleted (
8.0.4)
VJ Updated by Victor Julien 14 days ago
- Related to Feature #8479: eve/firewall: dedicated log record type added