eve: add rule generation source to alert record - v1 by jasonish · Pull Request #15335 · OISF/suricata

jasonish · 2026-05-07T21:41:37Z

Ticket: https://redmine.openinfosecfoundation.org/issues/8456

Draft to see how "alert.engine" feels... Examples:

"alert": {
  "engine": "fw"
}

"alert": {
  "engine": "td"
}

codecov · 2026-05-07T23:14:47Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.64%. Comparing base (8968b1c) to head (7463306).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #15335      +/-   ##
==========================================
- Coverage   82.66%   82.64%   -0.03%     
==========================================
  Files         995      995              
  Lines      271046   271048       +2     
==========================================
- Hits       224069   224000      -69     
- Misses      46977    47048      +71

Flag	Coverage Δ
fuzzcorpus	`61.05% <50.00%> (-0.01%)`	⬇️
livemode	`18.37% <50.00%> (-0.02%)`	⬇️
netns	`22.57% <100.00%> (-0.07%)`	⬇️
pcap	`45.21% <50.00%> (-0.02%)`	⬇️
suricata-verify	`66.38% <100.00%> (-0.02%)`	⬇️
unittests	`58.57% <0.00%> (-0.01%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

suricata-qa · 2026-05-07T23:20:03Z

Information: QA ran without warnings.

Pipeline = 31277

victorjulien · 2026-05-08T05:29:35Z

In other parts of the firewall logic I referred to the IDS/IPS rules as "td" (threat detection). I think it would make sense to use that here as well.

When an alert is generated from firewall context, add an engine value of "fw", otherwise "td" (for threat detect). The engine field is only added when firewall mode is enabled. Ticket: OISF#8456

jasonish · 2026-05-08T18:53:07Z

In other parts of the firewall logic I referred to the IDS/IPS rules as "td" (threat detection). I think it would make sense to use that here as well.

Makes sense. Updated to be td.

jasonish · 2026-05-08T18:53:25Z

+                        "fw",
+                        "td"
+                    ],
+                    "description": "Engine that generated the alert in firewall mode: fw for firewall rules, td for threat detect rules."


Suggested change

"description": "Engine that generated the alert in firewall mode: fw for firewall rules, td for threat detect rules."

"description": "Engine that generated the alert in firewall mode: fw for firewall rules, td for threat detection rules."

jasonish · 2026-05-08T18:53:49Z

 the signature.

+In firewall mode, the ``alert.engine`` field identifies which rule engine
+generated the alert: ``fw`` for firewall rules and ``td`` for threat detect


Suggested change

generated the alert: ``fw`` for firewall rules and ``td`` for threat detect

generated the alert: ``fw`` for firewall rules and ``td`` for threat detection

jasonish · 2026-05-08T18:54:39Z

I didn't like engine at first, and didn't have any other ideas. But I think its growing on me.

I could imagine some post-processing engine in the future, or something...

suricata-qa · 2026-05-08T21:30:02Z

WARNING:

field	baseline	test	%
	SURI_TLPW2_single_stats_chk
.uptime	1355	1397	103.1%

Pipeline = 31301

jasonish requested review from a team, jufajardini and victorjulien as code owners May 7, 2026 21:41

jasonish marked this pull request as draft May 7, 2026 21:41

eve: add rule generation source to alert record

7463306

When an alert is generated from firewall context, add an engine value of "fw", otherwise "td" (for threat detect). The engine field is only added when firewall mode is enabled. Ticket: OISF#8456

jasonish force-pushed the source-field/v1 branch from 6be1d15 to 7463306 Compare May 8, 2026 18:51

jasonish commented May 8, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

eve: add rule generation source to alert record - v1#15335

eve: add rule generation source to alert record - v1#15335
jasonish wants to merge 1 commit intoOISF:mainfrom
jasonish:source-field/v1

jasonish commented May 7, 2026 •

edited

Loading

Uh oh!

codecov Bot commented May 7, 2026 •

edited

Loading

Uh oh!

suricata-qa commented May 7, 2026

Uh oh!

victorjulien commented May 8, 2026

Uh oh!

jasonish commented May 8, 2026

Uh oh!

jasonish May 8, 2026

Uh oh!

jasonish May 8, 2026

Uh oh!

jasonish commented May 8, 2026

Uh oh!

suricata-qa commented May 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

	"description": "Engine that generated the alert in firewall mode: fw for firewall rules, td for threat detect rules."
	"description": "Engine that generated the alert in firewall mode: fw for firewall rules, td for threat detection rules."

	generated the alert: ``fw`` for firewall rules and ``td`` for threat detect
	generated the alert: ``fw`` for firewall rules and ``td`` for threat detection

Conversation

jasonish commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov Bot commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

suricata-qa commented May 7, 2026

Uh oh!

victorjulien commented May 8, 2026

Uh oh!

jasonish commented May 8, 2026

Uh oh!

jasonish May 8, 2026

Choose a reason for hiding this comment

Uh oh!

jasonish May 8, 2026

Choose a reason for hiding this comment

Uh oh!

jasonish commented May 8, 2026

Uh oh!

suricata-qa commented May 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

jasonish commented May 7, 2026 •

edited

Loading

codecov Bot commented May 7, 2026 •

edited

Loading