Feature #893
closedfeature, put more info in the "drop.log"
Description
Hello,
I am trying Suricata as IPS and I lack some informations in the "drop.log" file.
I think that the file should contain, at least, the SID of the activated rule.
Regards
JP P
Updated by Victor Julien over 10 years ago
- Status changed from New to Assigned
- Assignee set to Eric Leblond
- Target version set to TBD
As the log is in netfilter's log format, additions would have to stay compatible. Maybe we can mimic netfilters 'log prefix' field to add sid info. Also, it's not always a sid that causes a drop, the stream engine can drop things as well when in 'inline' mode.
Updated by JP Pozzi over 10 years ago
Hello,
The idea to mimic --log-prefix seems nice as it is in the "standard".
Regards
Updated by outrageous uproar about 10 years ago
Also, it's not always a sid that causes a drop, the stream engine can drop things as well when in 'inline' mode.
Let put at least name of engine here. How can I find what is a cause of drop?
Updated by Victor Julien almost 9 years ago
- Status changed from Assigned to Closed
- Assignee changed from Eric Leblond to Victor Julien
- Target version changed from TBD to 3.0RC1
- % Done changed from 0 to 100
Sid is now optionally added to the eve drop log.
Updated by Victor Julien almost 9 years ago
- Target version changed from 3.0RC1 to 2.1beta4