Task #7350
Updated by Jason Ish 4 days ago
As documented in #7199, Suricata up to version 7.0.4 or so (check) would always log tx-id for a catch-all drop rule as shown in #7199. Latest Suricata 7 won't log any app-layer metadata in this case, as Suricata can't be sure its logging the correct data, and no extra data is better than logging the wrong data.
However, this is not ideal for the application firewall use cases where having data about what you are dropping is important. For example, if allow-listing a set of URLs, then dropping all others, it would be ideal have the HTTP app-layer metadata in the drop logs.
This ticket is to discuss how this use case can be better supported, as we believe the fix in #6846 to be correct.
Some cases are possibly simpler, like when there has only been on transaction recorded, but it gets trickier if there are more.