[Oisf-users] eve.json logging issues
erik clark
philosnef at gmail.com
Tue Nov 22 13:56:19 UTC 2016
Flowbits could be messy. You might have more than one flowbit, and in any
case, you would ideally like to wrap all the sigs that were associated with
a flowbit flow into the alert. That could get very ugly.
I think just getting the sig into the alerts would be great as a start. :)
On Mon, Nov 21, 2016 at 8:01 PM, Adam Witt <AWitt at westernalliancebank.com>
wrote:
> Shortly after sending this, I realized that I asked for two different
> things. I wouldn't want to log signatures for all set flowbits in a given
> flow - just signatures which set flowbits that the alerting rule relied on
> to fire.
>
> --
> Adam
>
> -----Original Message-----
> From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.
> org] On Behalf Of Adam Witt
> Sent: Monday, November 21, 2016 5:08 PM
> To: Jason Ish; erik clark
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] eve.json logging issues
>
> +1, adding signature logic to alert output would be a nice convenience.
>
> In that same context, would it be interesting to look at optionally
> appending signature logic related to flowbits as well? Specifically the
> signatures which 'set' flowbits required for an alert to fire. My initial
> thinking is the alert log could include both the alert signature, and the
> logic for flowbit-related signatures which remained set in the 'flowvars'
> structure at the time an alert signature matched. I may be considering the
> wrong aspects of Suricata for the development piece - but this might help
> provide a well-rounded representation of the decision-making involved in a
> given alert firing.
>
> --
> Adam
>
>
> -----Original Message-----
> From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.
> org] On Behalf Of Jason Ish
> Sent: Thursday, November 17, 2016 11:45 AM
> To: erik clark
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] eve.json logging issues
>
> On Thu, Nov 17, 2016 at 12:30 PM, erik clark <philosnef at gmail.com> wrote:
> > Thanks! That worked.
> >
> > Is there a way to get the actual content of the signature into the
> > alert? So not just the payload, subject, flowdata and so forth, but
> > the actual signature itself, so someone can look at it in the alert to
> > see why it may have fired erroneously...
>
> No, not currently. But you aren't the first one to ask so perhaps its
> something we should think about doing.
>
> Jason
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://suricon.net
>
> CONFIDENTIALITY. This email and any attachments are confidential, except
> where the email states it can be disclosed; it may also be privileged. If
> received in error, please do not disclose the contents to anyone, but
> notify the sender by return email and delete this email (and any
> attachments) from your system.
> Need to send me a file too big for email? You can upload it at
> westernalliancebancorp.sharefile.com<westernalliancebancorp.sharefile.com/
> >
> ________________________________
>
> CONFIDENTIALITY. This email and any attachments are confidential, except
> where the email states it can be disclosed; it may also be privileged. If
> received in error, please do not disclose the contents to anyone, but
> notify the sender by return email and delete this email (and any
> attachments) from your system.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://suricon.net Need to send me a file too big for email? You can
> upload it at westernalliancebancorp.sharefile.com<westernallianceb
> ancorp.sharefile.com/>
> ________________________________
>
> CONFIDENTIALITY. This email and any attachments are confidential, except
> where the email states it can be disclosed; it may also be privileged. If
> received in error, please do not disclose the contents to anyone, but
> notify the sender by return email and delete this email (and any
> attachments) from your system.
>
> Need to send me a file too big for email? You can upload it at
> westernalliancebancorp.sharefile.com<westernalliancebancorp.sharefile.com/
> >
> ________________________________
>
> CONFIDENTIALITY. This email and any attachments are confidential, except
> where the email states it can be disclosed; it may also be privileged. If
> received in error, please do not disclose the contents to anyone, but
> notify the sender by return email and delete this email (and any
> attachments) from your system.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161122/ca53378f/attachment-0002.html>
More information about the Oisf-users
mailing list