[Oisf-users] Fwsam Functionality

David Wharton oisf at davidwharton.us
Tue Jul 16 11:23:32 UTC 2019

Eric, et. al,

Do you think it is still justifiable to have a separate "target" keyword 
or would it make more sense to leverage the "metadata" keyword to store 
this information, and encourage rule writers to put it there?  
Personally, I'm more in favor of the latter since the metadata keyword 
is already used to store rule classification information, and at this 
point the "target" keyword seems like a confusing "one-off" feature.  
And if rule writers haven't incorporated using the "target" keyword by 
this point, it shouldn't be too painful to tell them to stick it in the 
metadata keyword instead.


On 7/15/19 4:44 PM, Champ Clark III wrote:
> First off, thank you for the response....
>> This can be solved by using the target keyword that indicate which side
>> is the bad side. Rules writers seems not to have picked it (bad rules
>> writers) and that is a shame. Yes, please use this, it is trivial when
>> writing rules !
> Thinking about it,  I really should have considered the "metadata" keyword from the beginning. I'll definitely move the options there.  This allows for a lot more flexibility.
> I was not aware of the "target" keyword.  I just did a quick test and the "target" was nicely recorded in the EVE output.  However, I'm not sure if I will need it.  As you pointed out, it isn't used very often.  In fact,  I could not find one "target" keyword used in the ET rule set.
> Again,  thank you for the advice!
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190716/d8472d50/attachment.html>

More information about the Oisf-users mailing list