Feature #893
closedfeature, put more info in the "drop.log"
I am trying Suricata as IPS and I lack some informations in the "drop.log" file.
I think that the file should contain, at least, the SID of the activated rule.
Updated by Victor Julien over 11 years ago
- Status changed from New to Assigned
- Assignee set to Eric Leblond
- Target version set to TBD
As the log is in netfilter's log format, additions would have to stay compatible. Maybe we can mimic netfilters 'log prefix' field to add sid info. Also, it's not always a sid that causes a drop, the stream engine can drop things as well when in 'inline' mode.
Updated by JP Pozzi over 11 years ago
The idea to mimic --log-prefix seems nice as it is in the "standard".
Updated by outrageous uproar almost 11 years ago
Also, it's not always a sid that causes a drop, the stream engine can drop things as well when in 'inline' mode.
Let put at least name of engine here. How can I find what is a cause of drop?
Updated by Victor Julien almost 10 years ago
- Status changed from Assigned to Closed
- Assignee changed from Eric Leblond to Victor Julien
- Target version changed from TBD to 3.0RC1
- % Done changed from 0 to 100
Sid is now optionally added to the eve drop log.
Updated by Victor Julien almost 10 years ago
- Target version changed from 3.0RC1 to 2.1beta4