Project

General

Profile

Actions
Copy link

Bug #8456

open
YD

EVE JSON: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts

Bug #8456: EVE JSON: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts

Added by Yash Datre 2 days ago. Updated 2 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
TBD
Affected Versions:
8.0.4
Effort:
Difficulty:
Label:

Description

When Suricata runs in firewall mode alongside IDS/IPS detection rules, both engines emit event_type: "alert" events into EVE JSON with an identical schema. There is currently no field in the alert event that indicates whether the alert originated from a firewall rule ( accept:flow , reject:flow , etc.) or a traditional IDS/IPS rule ( alert , drop ).

This makes it impossible for downstream log consumers to programmatically distinguish between firewall policy alerts and IDS/IPS detection alerts without relying on indirect heuristics like SID ranges or signature text fields.

For context, event_type: "drop" events already have something similar drop.reason field that differentiates firewall drops (default_packet_policy, pre_stream_hook, etc.) from IDS/IPS drops (rules). Alert events lack an equivalent mechanism.

YD Updated by Yash Datre 2 days ago Actions
Copy link
 #1

Proposed Solution

Add a new field to the alert object in EVE JSON output that identifies the source engine. For example

{
  "event_type": "alert",
  "alert": {
    "action": "allowed",
    "source": "firewall",
    "signature_id": 1001,
    "signature": "ICMP ping accepted",
    ...
  }
}

Suggested values for alert.source (or alert.engine ):

"firewall" — alert generated by a firewall-mode rule
"ids" or "detection" — alert generated by a traditional IDS/IPS rule

Actions
Copy link

Also available in: PDF Atom