Is it possible to support "reject", "pass" in eve.log? Can they be used with "tagged-packets"?

In eve.log, I could see multiple types supported, but not “reject” or “pass”. Is it possible to support logging these when a packet hits the rules? Also the “tagged-packets” option in “alert” is very useful, is it possible to support this as well?

I saw the previous post about recording pass event, not sure how specifically it worked.

Hello, welcome to the Suricata forum :slight_smile:

pass and reject are rule actions, much like alert or drop are. That means that when a rule matches, if the alert event is enabled in the outputs.eve-log section, you will see events for that, regardless of the rule action (unless the noalert keyword is used in the rule. See 6.40. Config Rules — Suricata 7.0.0-rc2-dev documentation). drop events are a bit different on that regard, because some situations may cause the whole flow to be dropped, so we have a configuration option to indicate if we should log the first drop event only, or all packets.

We also have the option to log tagged packets (see 10.1. Suricata.yaml — Suricata 7.0.0-rc2-dev documentation).

I am not sure if this helps with your request. If not, could you please elaborate more what you have in mind?

Thanks for the response, I do have one further question. Utilizing the current options, the tagged packets events are logged in the same file with (pass, reject) alert events. Does that mean there is no way in separating these entries to a different file from configuration? Thanks.

The logging is currently done based on the event type, so it’s an alert event type in those cases. It could be a feature request, but I personally doubt that it would have a high priority since you could use postprocess tooling for that as well.

1 Like