[Oisf-users] Fwsam Functionality

Champ Clark III cclark at quadrantsec.com
Mon Jul 15 20:44:35 UTC 2019

First off, thank you for the response....

> This can be solved by using the target keyword that indicate which side
> is the bad side. Rules writers seems not to have picked it (bad rules
> writers) and that is a shame. Yes, please use this, it is trivial when
> writing rules !

Thinking about it,  I really should have considered the "metadata" keyword from the beginning. I'll definitely move the options there.  This allows for a lot more flexibility. 

I was not aware of the "target" keyword.  I just did a quick test and the "target" was nicely recorded in the EVE output.  However, I'm not sure if I will need it.  As you pointed out, it isn't used very often.  In fact,  I could not find one "target" keyword used in the ET rule set.

Again,  thank you for the advice!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2128 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190715/caaef51e/attachment-0001.bin>

More information about the Oisf-users mailing list