[Oisf-users] App layer decoding of Eve.json alerts

Victor Julien lists at inliniac.net
Tue Jul 12 20:15:29 UTC 2016


On 12-07-16 22:13, SiNA wrote:
> When Suricata generates an alert based on ip reputation rules, the alert
> json log doesn't include decoded application layer information. I see
> the option of including the payload itself, which would require
> additional processing by a third party scrip or tool. Is it possible to
> configure Suricata to generste both an event and an alert in this case?

IP only rules are generally inspected on the first packet of the flow
only. For TCP that is normally the SYN packet, so there isn't much we
can log then.

Each event contains a flow_id field that you can use to correlate
multiple events.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list