[Oisf-users] Fwsam Functionality
David Wharton
oisf at davidwharton.us
Tue Jul 16 11:23:32 UTC 2019
Eric, et. al,
Do you think it is still justifiable to have a separate "target" keyword
or would it make more sense to leverage the "metadata" keyword to store
this information, and encourage rule writers to put it there?
Personally, I'm more in favor of the latter since the metadata keyword
is already used to store rule classification information, and at this
point the "target" keyword seems like a confusing "one-off" feature.
And if rule writers haven't incorporated using the "target" keyword by
this point, it shouldn't be too painful to tell them to stick it in the
metadata keyword instead.
-David
On 7/15/19 4:44 PM, Champ Clark III wrote:
> First off, thank you for the response....
>
>> This can be solved by using the target keyword that indicate which side
>> is the bad side. Rules writers seems not to have picked it (bad rules
>> writers) and that is a shame. Yes, please use this, it is trivial when
>> writing rules !
>
> Thinking about it, I really should have considered the "metadata" keyword from the beginning. I'll definitely move the options there. This allows for a lot more flexibility.
>
> I was not aware of the "target" keyword. I just did a quick test and the "target" was nicely recorded in the EVE output. However, I'm not sure if I will need it. As you pointed out, it isn't used very often. In fact, I could not find one "target" keyword used in the ET rule set.
>
> Again, thank you for the advice!
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190716/d8472d50/attachment.html>
More information about the Oisf-users
mailing list