[Oisf-users] Fwsam Functionality
Champ Clark III
cclark at quadrantsec.com
Mon Jul 15 20:44:35 UTC 2019
First off, thank you for the response....
> This can be solved by using the target keyword that indicate which side
> is the bad side. Rules writers seems not to have picked it (bad rules
> writers) and that is a shame. Yes, please use this, it is trivial when
> writing rules !
Thinking about it, I really should have considered the "metadata" keyword from the beginning. I'll definitely move the options there. This allows for a lot more flexibility.
I was not aware of the "target" keyword. I just did a quick test and the "target" was nicely recorded in the EVE output. However, I'm not sure if I will need it. As you pointed out, it isn't used very often. In fact, I could not find one "target" keyword used in the ET rule set.
Again, thank you for the advice!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2128 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190715/caaef51e/attachment-0001.bin>
More information about the Oisf-users
mailing list