Actions
Bug #1177
closedeve log do not show action 'dropped' just 'allowed'
Affected Versions:
Effort:
Difficulty:
Label:
Description
For all cases, be rule 'alert' or rule 'drop' or rule 'reject'
The field action, in 'eve log' is ever 'allowed'.
{"timestamp":"2014-04-10T10:02:39.874459",*"event_type":"alert"*,"src_ip":"177.207.216.168","src_port":6030,"dest_ip":"192.168.10.224","dest_port":80,"proto":"TCP","alert":{*"action":"allowed"*++,"gid":1,"signature_id":2005541,"rev":5,"signature":"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE","category":"Web Application Attack","severity":1}} {"timestamp":"2014-04-10T10:02:39.874459",*"event_type":"alert"*,"src_ip":"177.207.216.168","src_port":6030,"dest_ip":"192.168.10.224","dest_port":80,"proto":"TCP","alert":{*"action":"allowed"*++,"gid":1,"signature_id":2005541,"rev":5,"signature":"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE","category":"Web Application Attack","severity":1}} {"timestamp":"2014-04-10T10:02:39.874459",*"event_type":"alert"*,"src_ip":"177.207.216.168","src_port":6030,"dest_ip":"192.168.10.224","dest_port":80,"proto":"TCP","alert":{*"action":"allowed"*++,"gid":1,"signature_id":2006614,"rev":6,"signature":"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE","category":"Web Application Attack","severity":1}}
-------------------------------------------------------
Fixing this problem:
-------------------------------------------------------
diff --git a/src/output-json-alert.c b/src/output-json-alert.c
index 55c51dd..3d2a767 100644
--- a/src/output-json-alert.c
+++ b/src/output-json-alert.c@ -62,7 +62,7
@
#ifdef HAVE_LIBJANSSON
-extern int engine_mode;
+extern uint8_t engine_mode;
typedef struct JsonAlertLogThread_ {
/** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
-------------------------------------------------------
Actions