[Discussion] Limit files-json logging
cdevoe57 at nycap.rr.com
cdevoe57 at nycap.rr.com
Wed Mar 5 19:43:23 UTC 2014
We are attempting to set up and use MD5 hash alerting (rules with filemd5 keywords). We have set up the alerts and can trigger an alert based on the hash of a file.
e.g. alert http any any -> any any (msg: "A known bad hash was accessed"; filemd5:badmd5s.txt; filestore; classtype:bad-md5; sid:1; rev:1;)
When we enable the files-json.log in the yaml file, it includes all files, not just those that match the rule. Is there a way to only log the files which trigger an alert instead of everything?
More information about the Discussion
mailing list