[Oisf-users] eve.json logging issues
Adam Witt
AWitt at westernalliancebank.com
Tue Nov 22 00:08:03 UTC 2016
+1, adding signature logic to alert output would be a nice convenience.
In that same context, would it be interesting to look at optionally appending signature logic related to flowbits as well? Specifically the signatures which 'set' flowbits required for an alert to fire. My initial thinking is the alert log could include both the alert signature, and the logic for flowbit-related signatures which remained set in the 'flowvars' structure at the time an alert signature matched. I may be considering the wrong aspects of Suricata for the development piece - but this might help provide a well-rounded representation of the decision-making involved in a given alert firing.
--
Adam
-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Jason Ish
Sent: Thursday, November 17, 2016 11:45 AM
To: erik clark
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] eve.json logging issues
On Thu, Nov 17, 2016 at 12:30 PM, erik clark <philosnef at gmail.com> wrote:
> Thanks! That worked.
>
> Is there a way to get the actual content of the signature into the
> alert? So not just the payload, subject, flowdata and so forth, but
> the actual signature itself, so someone can look at it in the alert to
> see why it may have fired erroneously...
No, not currently. But you aren't the first one to ask so perhaps its something we should think about doing.
Jason
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://suricon.net
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.
Need to send me a file too big for email? You can upload it at westernalliancebancorp.sharefile.com<westernalliancebancorp.sharefile.com/>
________________________________
CONFIDENTIALITY. This email and any attachments are confidential, except where the email states it can be disclosed; it may also be privileged. If received in error, please do not disclose the contents to anyone, but notify the sender by return email and delete this email (and any attachments) from your system.
More information about the Oisf-users
mailing list