[Oisf-users] Metadata Field to JSON Output
Jason Ish
ish at unx.ca
Tue Jan 9 03:39:40 UTC 2018
On 2018-01-08 08:53 PM, Korodev wrote:
> Per the documentation [1] the metadata key in signatures is ignored by
> Suricata. Are there any future plans to pass that data through to the
> JSON output? I'm not sure how people here might using it, but I've
> seen this used for tagging signatures and it would be nice to have a
> tunable that would push that data into alert event types.
>
> If there's something else people are using to tag alerts at the
> signature level for post-processing workflows (rather than lists of
> sids/gids), I'd be interested in hearing that as well!
>
> [1] https://suricata.readthedocs.io/en/latest//rules/meta.html#metadata
Yes, there is an outstanding PR that is still in the discussion phase:
https://github.com/OISF/suricata/pull/2990
It adds a "metadata" object under the alert object that contains the
broken out metadata fields. One point of concern right now is that each
metadata field should have a list value, as its not deterministed which
fields may appear once or multiple times.
Along these lines, there is a PR for putting the actual rule into the
alert as well. So we'd want to make these work together in the output.
But yes, its in the works if a bit stalled at the moment, but we'll get
back to it.
Jason
More information about the Oisf-users
mailing list