[Oisf-devel] Logging

m martinbarrowcliff at gmail.com
Sat Aug 7 18:44:32 UTC 2010

I have an issue with Suricata logging.

As part of my firewall I have Suricata configured as an IPS and my rules 
mix DROP and ALERT actions.
For efficiency I only use the default fast.log.
I do see rules fire.

2010-08-05 11:34:56    suricata:    08/05/10-15:34:54.679423 [**] 
[1:2010935:2] ET POLICY Suspicious inbound to MSSQL port 1433 [**] 
[Classification: Potentially Bad Traffic] [Priority: 3] {6} 
61.xxx.52.98:6000 -> 192.168.xxx.xxx:1433 [Xref => 
http://doc.emergingthreats.net/2010935][Xref => 

So with that log info, tell me what happened; was the packet sent on to 
the server or dropped?  Right, this does not show disposition.
Looking a little deeper, I don't see any option for logging the action.

/* The different log format specifiers supported by the API */
#define SC_LOG_FMT_TIME             't' /* Timestamp in standard format */
#define SC_LOG_FMT_PID              'p' /* PID */
#define SC_LOG_FMT_TID              'i' /* Thread ID */
#define SC_LOG_FMT_TM               'm' /* Thread module name */
#define SC_LOG_FMT_LOG_LEVEL        'd' /* Log level */
#define SC_LOG_FMT_FILE_NAME        'f' /* File name */
#define SC_LOG_FMT_LINE             'l' /* Line number */
#define SC_LOG_FMT_FUNCTION         'n' /* Function */

Marty B.

More information about the Oisf-devel mailing list