suricata icon indicating copy to clipboard operation
suricata copied to clipboard
verified publisher icon OISF

App proto logging

Open regit opened this issue 4 months ago • 6 comments

There was a regression between Suricata 7 and Suricata 8. The app_proto was logged in almost all events in 7 and is only log in a small subset (fileinfo, flow, frame, netflow) in 8.

This patch updates the code to log app_proto in all events if there is a Flow available. It is making use of EveAddAppProto function to get interesting information such as original application protocol or difference between server and client side.

Contribution style:

  • [x] I have read the contributing guide lines at https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html

Our Contribution agreements:

  • [x] I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/ (note: this is only required once)

Changes (if applicable):

  • [x] I have updated the User Guide (in doc/userguide/) to reflect the changes made
  • [x] I have updated the JSON schema (in etc/schema.json) to reflect all logging changes (including schema descriptions)
  • [x] I have created a ticket at https://redmine.openinfosecfoundation.org/projects/suricata/issues

Link to ticket: https://redmine.openinfosecfoundation.org/issues/

Describe changes:

  • log app_proto when creating EVE header

SV_BRANCH=https://github.com/OISF/suricata-verify/pull/2640

regit avatar Sep 08 '25 07:09 regit

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 83.72%. Comparing base (0662736) to head (32634bd).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #13810   +/-   ##
=======================================
  Coverage   83.71%   83.72%           
=======================================
  Files        1011     1011           
  Lines      275116   275115    -1     
=======================================
+ Hits       230321   230330    +9     
+ Misses      44795    44785   -10
Flag Coverage Δ
fuzzcorpus 63.02% <100.00%> (+0.02%) :arrow_up:
livemode 19.00% <53.33%> (+<0.01%) :arrow_up:
pcap 44.69% <86.66%> (+<0.01%) :arrow_up:
suricata-verify 65.09% <100.00%> (+<0.01%) :arrow_up:
unittests 59.16% <0.00%> (+<0.01%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Sep 08 '25 08:09 codecov[bot]

Would be nice to get a Fixes tag for this, do we know which commit(s) broke it?

victorjulien avatar Sep 08 '25 08:09 victorjulien

Would be nice to get a Fixes tag for this, do we know which commit(s) broke it?

I did not investigate. I'll try to get that.

regit avatar Sep 08 '25 11:09 regit

Would be nice to get a Fixes tag for this, do we know which commit(s) broke it?

I did not investigate. I'll try to get that.

OUTCH, really sorry, this is not a regression. I forgot one patch was bringing that to the 7.0.x branch I did test. So this issue becomes a feature request. I'm updating redmine.

regit avatar Sep 08 '25 11:09 regit

https://redmine.openinfosecfoundation.org/issues/7888 for the record ;-)

catenacyber avatar Sep 14 '25 20:09 catenacyber

So, the commit message needs to be changed :-p

There was a regression between Suricata 7 and Suricata 8.

Otherwise, code and tests look good...

I wonder if this should be optional (as logs become more verbose) I guess this deserves an upgrade note

I agree on this becoming optional. But could there maybe be a shorter version, instead of all or nothing? (Not fully sure if such a thing would make sense 🤔 )

jufajardini avatar Sep 19 '25 12:09 jufajardini