Project

General

Profile

Actions
Copy link

Feature #8456

closed
YD JI

firewall: source field in alert/drop events to distinguish firewall from IDS/IPS

Feature #8456: firewall: source field in alert/drop events to distinguish firewall from IDS/IPS

Added by Yash Datre 2 months ago. Updated 29 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

When Suricata runs in firewall mode alongside IDS/IPS detection rules, both engines emit event_type: "alert" events into EVE JSON with an identical schema. There is currently no field in the alert event that indicates whether the alert originated from a firewall rule ( accept:flow , reject:flow , etc.) or a traditional IDS/IPS rule ( alert , drop ).

This makes it impossible for downstream log consumers to programmatically distinguish between firewall policy alerts and IDS/IPS detection alerts without relying on indirect heuristics like SID ranges or signature text fields.

For context, event_type: "drop" events already have something similar drop.reason field that differentiates firewall drops (default_packet_policy, pre_stream_hook, etc.) from IDS/IPS drops (rules). Alert events lack an equivalent mechanism.

Subtasks 1 (0 open1 closed)

Feature #8544: firewall: source field in alert/drop events to distinguish firewall from IDS/IPS (8.0.x backport)ClosedJason IshActions

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #8479: eve/firewall: dedicated log record typeFeedbackOISF DevActions
Actions
Copy link

Also available in: PDF Atom