<div dir="ltr">Flowbits could be messy. You might have more than one flowbit, and in any case, you would ideally like to wrap all the sigs that were associated with a flowbit flow into the alert. That could get very ugly.<div><br></div><div>I think just getting the sig into the alerts would be great as a start. :)</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 21, 2016 at 8:01 PM, Adam Witt <span dir="ltr"><<a href="mailto:AWitt@westernalliancebank.com" target="_blank">AWitt@westernalliancebank.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Shortly after sending this, I realized that I asked for two different things. I wouldn't want to log signatures for all set flowbits in a given flow - just signatures which set flowbits that the alerting rule relied on to fire.<br>
<br>
--<br>
Adam<br>
<div><div class="h5"><br>
-----Original Message-----<br>
From: Oisf-users [mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@<wbr>lists.openinfosecfoundation.<wbr>org</a>] On Behalf Of Adam Witt<br>
Sent: Monday, November 21, 2016 5:08 PM<br>
To: Jason Ish; erik clark<br>
Cc: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.<wbr>openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] eve.json logging issues<br>
<br>
+1, adding signature logic to alert output would be a nice convenience.<br>
<br>
In that same context, would it be interesting to look at optionally appending signature logic related to flowbits as well? Specifically the signatures which 'set' flowbits required for an alert to fire. My initial thinking is the alert log could include both the alert signature, and the logic for flowbit-related signatures which remained set in the 'flowvars' structure at the time an alert signature matched. I may be considering the wrong aspects of Suricata for the development piece - but this might help provide a well-rounded representation of the decision-making involved in a given alert firing.<br>
<br>
--<br>
Adam<br>
<br>
<br>
-----Original Message-----<br>
From: Oisf-users [mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@<wbr>lists.openinfosecfoundation.<wbr>org</a>] On Behalf Of Jason Ish<br>
Sent: Thursday, November 17, 2016 11:45 AM<br>
To: erik clark<br>
Cc: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.<wbr>openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] eve.json logging issues<br>
<br>
On Thu, Nov 17, 2016 at 12:30 PM, erik clark <<a href="mailto:philosnef@gmail.com">philosnef@gmail.com</a>> wrote:<br>
> Thanks! That worked.<br>
><br>
> Is there a way to get the actual content of the signature into the<br>
> alert? So not just the payload, subject, flowdata and so forth, but<br>
> the actual signature itself, so someone can look at it in the alert to<br>
> see why it may have fired erroneously...<br>
<br>
No, not currently. But you aren't the first one to ask so perhaps its something we should think about doing.<br>
<br>
Jason<br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 9-11 in Washington, DC: <a href="http://suricon.net" rel="noreferrer" target="_blank">http://suricon.net</a><br>
<br>
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.<br>
Need to send me a file too big for email? You can upload it at <a href="http://westernalliancebancorp.sharefile.com" rel="noreferrer" target="_blank">westernalliancebancorp.<wbr>sharefile.com</a><<a href="http://westernalliancebancorp.sharefile.com/" rel="noreferrer" target="_blank">westernallianceb<wbr>ancorp.sharefile.com/</a>><br>
______________________________<wbr>__<br>
<br>
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.<br>
<br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
</div></div>Suricata User Conference November 9-11 in Washington, DC: <a href="http://suricon.net" rel="noreferrer" target="_blank">http://suricon.net</a> Need to send me a file too big for email? You can upload it at <a href="http://westernalliancebancorp.sharefile.com" rel="noreferrer" target="_blank">westernalliancebancorp.<wbr>sharefile.com</a><<a href="http://westernalliancebancorp.sharefile.com/" rel="noreferrer" target="_blank">westernallianceb<wbr>ancorp.sharefile.com/</a>><br>
<div class="HOEnZb"><div class="h5">______________________________<wbr>__<br>
<br>
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.<br>
<br>
Need to send me a file too big for email? You can upload it at <a href="http://westernalliancebancorp.sharefile.com" rel="noreferrer" target="_blank">westernalliancebancorp.<wbr>sharefile.com</a><<a href="http://westernalliancebancorp.sharefile.com/" rel="noreferrer" target="_blank">westernallianceb<wbr>ancorp.sharefile.com/</a>><br>
______________________________<wbr>__<br>
<br>
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.<br>
<br>
</div></div></blockquote></div><br></div>