[Oisf-users] xbits in EVE & unified2
Victor Julien
lists at inliniac.net
Tue Apr 9 11:08:56 UTC 2019
Hi Champ!
On 08-04-19 17:31, Champ Clark III wrote:
> I was under the impression, perhaps incorrectly, that 'xbit' data gets
> stored in the Suricata EVE files. For example, if an 'xbit' gets
> 'set' or checked ('isset'), is there an EVE record of that happening?
> I've search by Suricata instances EVE files for 'xbits' an can't find
> any records of that. However, it might be that I haven't triggered any
> rules that have 'xbits' in them. I'd like to see how this data get
> recorded.
Inside Suricata, xbits are implemented as various other bits. Per host
bits (hostbits) and per IP Pair. These 2 variants are not logged in EVE
currently. Feel free to open a feature ticket.
> Secondly, I know there are plans to depreciate 'unified2'. Is there a
> target date for this.
Yes, it's actually quite close: June this year which means we can
probably already throw it out in our git master.
https://suricata-ids.org/about/deprecation-policy/
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list