Bug #8456: EVE JSON: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #8456

open

EVE JSON: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts

Bug #8456: EVE JSON: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts

Added by Yash Datre 2 days ago. Updated 2 days ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

TBD

Affected Versions:

8.0.4

Effort:

Difficulty:

Label:

Description

When Suricata runs in firewall mode alongside IDS/IPS detection rules, both engines emit event_type: "alert" events into EVE JSON with an identical schema. There is currently no field in the alert event that indicates whether the alert originated from a firewall rule ( accept:flow , reject:flow , etc.) or a traditional IDS/IPS rule ( alert , drop ).

This makes it impossible for downstream log consumers to programmatically distinguish between firewall policy alerts and IDS/IPS detection alerts without relying on indirect heuristics like SID ranges or signature text fields.

For context, event_type: "drop" events already have something similar drop.reason field that differentiates firewall drops (default_packet_policy, pre_stream_hook, etc.) from IDS/IPS drops (rules). Alert events lack an equivalent mechanism.

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries

Bug #8456

EVE JSON: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts

YD Updated by Yash Datre 2 days ago Actions
Copy link
#1

Project

General

Profile

Suricata

Custom queries

Bug #8456

EVE JSON: Add source engine field to alert/drop events to distinguish firewall from IDS/IPS alerts

YD Updated by Yash Datre 2 days ago ActionsCopy link #1

YD Updated by Yash Datre 2 days ago Actions
Copy link
#1