Project

General

Profile

Actions

Task #7350

open

firewall usecase: log app-layer metadata for for catch-all drop rules

Added by Jason Ish 4 days ago. Updated 4 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

As documented in #7199, Suricata up to version 7.0.4 or so (check) would always log tx-id for a catch-all drop rule as shown in #7199. Latest Suricata 7 won't log any app-layer metadata in this case, as Suricata can't be sure its logging the correct data, and no extra data is better than logging the wrong data.

However, this is not ideal for the application firewall use cases where having data about what you are dropping is important. For example, if allow-listing a set of URLs, then dropping all others, it would be ideal have the HTTP app-layer metadata in the drop logs.

This ticket is to discuss how this use case can be better supported, as we believe the fix in #6846 to be correct.

Some cases are possibly simpler, like when there has only been on transaction recorded, but it gets trickier if there are more.


Related issues 3 (2 open1 closed)

Related to Suricata - Bug #6846: alerts: wrongly using tx id 0 when there is no txClosedPhilippe AntoineActions
Related to Suricata - Bug #7199: Suricata 7 no longer logging app-layer metadata in alertsNewOISF DevActions
Related to Suricata - Story #7164: usecase: improve firewall usecaseNewVictor JulienActions
Actions

Also available in: Atom PDF