[Oisf-devel] Logging
m
martinbarrowcliff at gmail.com
Sat Aug 7 18:44:32 UTC 2010
I have an issue with Suricata logging.
As part of my firewall I have Suricata configured as an IPS and my rules
mix DROP and ALERT actions.
For efficiency I only use the default fast.log.
I do see rules fire.
2010-08-05 11:34:56 suricata: 08/05/10-15:34:54.679423 [**]
[1:2010935:2] ET POLICY Suspicious inbound to MSSQL port 1433 [**]
[Classification: Potentially Bad Traffic] [Priority: 3] {6}
61.xxx.52.98:6000 -> 192.168.xxx.xxx:1433 [Xref =>
http://doc.emergingthreats.net/2010935][Xref =>
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_DB_Connections]
So with that log info, tell me what happened; was the packet sent on to
the server or dropped? Right, this does not show disposition.
Looking a little deeper, I don't see any option for logging the action.
/* The different log format specifiers supported by the API */
#define SC_LOG_FMT_TIME 't' /* Timestamp in standard format */
#define SC_LOG_FMT_PID 'p' /* PID */
#define SC_LOG_FMT_TID 'i' /* Thread ID */
#define SC_LOG_FMT_TM 'm' /* Thread module name */
#define SC_LOG_FMT_LOG_LEVEL 'd' /* Log level */
#define SC_LOG_FMT_FILE_NAME 'f' /* File name */
#define SC_LOG_FMT_LINE 'l' /* Line number */
#define SC_LOG_FMT_FUNCTION 'n' /* Function */
Marty B.
More information about the Oisf-devel
mailing list