Task #7350
closedfirewall usecase: log app-layer metadata for for catch-all drop rules
Description
As documented in #7199, Suricata up to version 7.0.4 or so (check) would always log tx-id for a catch-all drop rule as shown in #7199. Latest Suricata 7 won't log any app-layer metadata in this case, as Suricata can't be sure its logging the correct data, and no extra data is better than logging the wrong data.
However, this is not ideal for the application firewall use cases where having data about what you are dropping is important. For example, if allow-listing a set of URLs, then dropping all others, it would be ideal have the HTTP app-layer metadata in the drop logs.
This ticket is to discuss how this use case can be better supported, as we believe the fix in #6846 to be correct.
Some cases are possibly simpler, like when there has only been on transaction recorded, but it gets trickier if there are more.
Updated by Jason Ish 2 months ago
- Related to Story #7164: usecase: improve firewall usecase added
Updated by Philippe Antoine 25 days ago
- Status changed from New to In Review
- Target version changed from TBD to 8.0.0-beta1
Updated by Philippe Antoine 16 days ago
- Status changed from In Review to Closed