[Oisf-users] Additional data in eve.json
Andreas Herz
aherz at oisf.net
Tue May 26 20:38:21 UTC 2020
On 26/05/20 at 14:06, Ramona Tăme wrote:
> I am trying to add more details for triggered alerts listed within
> eve.json. I am interested for each alert to get the DNS resolved, to get
> the URL, the certificate and potentially other data. I have enabled
> extended data within the surricata.yaml config but I still don't get these
> details I was hoping to get. Does anybody have any suggestions how to do
> this? If I need to use Lua and generate another output file, does anyone
> have an example on how to get these details by using Lua?
Not all alerts provide that, but you can enable all the other flow metadata
and use the flow_id to correlate those infos.
So you would have an event_type alert but also event_type dns with
additional meta data.
--
Andreas Herz
More information about the Oisf-users
mailing list