[Oisf-users] filestore, alerts, flowbits, and stream question

erik clark philosnef at gmail.com
Tue Mar 7 15:16:30 UTC 2017


So... we are looking at using filestore with signatures (commercial and
otherwise) when we see something of value. What we are seeing is that
packet: in json can contain absolute garbage, and when we have flowbits in
a stream, we don't have the uri that fired it for context.

If we use filestore, will that capture the entire file that fired the
alert, even if its a sig that fired off a previously set flowbit and the
current rule? We are trying to find a way to directly correlate an event
with a payload_printable with something meaningful where the payload may
not be very clear in context of the rule itself.

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170307/e5ea401d/attachment.html>


More information about the Oisf-users mailing list