[Oisf-users] App layer decoding of Eve.json alerts

SiNA sina.rabbani at gmail.com
Tue Jul 12 21:52:56 UTC 2016


Thank you for your reply!

When an alert is triggered from the IP Reputation rules, I only see 1
entry with even_type: alert in the log. I don't see another entry
which contains more details about the packet.
Am I missing something here? I'm cleaning up my configuration files to
post here shortly. Do I need to have flow logging enabled too?

All the best,
Sina



--
SiNA
PGP: 0x0B47D56D


On Tue, Jul 12, 2016 at 4:15 PM, Victor Julien <lists at inliniac.net> wrote:
> On 12-07-16 22:13, SiNA wrote:
>> When Suricata generates an alert based on ip reputation rules, the alert
>> json log doesn't include decoded application layer information. I see
>> the option of including the payload itself, which would require
>> additional processing by a third party scrip or tool. Is it possible to
>> configure Suricata to generste both an event and an alert in this case?
>
> IP only rules are generally inspected on the first packet of the flow
> only. For TCP that is normally the SYN packet, so there isn't much we
> can log then.
>
> Each event contains a flow_id field that you can use to correlate
> multiple events.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net



More information about the Oisf-users mailing list