aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: documentation update on metadata

Browse Source
pull/3205/head
Eric Leblond 9 years ago committed by Jason Ish
parent 9864552484
commit 72c8cd67d5
3 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File

12
doc/userguide/output/eve/eve-json-output.rst
Unescape Escape View File

@ -76,6 +76,18 @@ layer metadata to output on a per application layer basis ::
The `vars` will enable dumping of a set of key/value based on flowbits and other vars The `vars` will enable dumping of a set of key/value based on flowbits and other vars
such as named groups in regular expression. such as named groups in regular expression.
It is also possible to log key/value pairs defined by the metadata keyword on rule. To
do so you need to set `enabled` to yes under `rule-metadata` ::
- alert:
metadata: yes # add L7/applayer fields, flowbit and other vars to the alert
rule-metadata: # dumping of key/value pairs defined by metadata keyword of rule
enabled: yes # set to yes to enable
output-array: no # output value of key as an array
array-keys: [tag] # comma separated array of keys to output as array
This will add a `alert.metadata` object in the alert event.
DNS DNS
~~~ ~~~

5
doc/userguide/partials/eve-log.yaml
Unescape Escape View File

@ -54,6 +54,11 @@ outputs:
# "tag" keyword. # "tag" keyword.
tagged-packets: yes tagged-packets: yes
rule-metadata: # dumping of key/value pairs defined by metadata keyword of rule
enabled: no # set to yes to enable
output-array: no # output value of key as an array
array-keys: [tag] # comma separated array of keys to output as array
# HTTP X-Forwarded-For support by adding an extra field or overwriting # HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction) # the source or destination IP address (depending on flow direction)
# with the one reported in the X-Forwarded-For HTTP header. This is # with the one reported in the X-Forwarded-For HTTP header. This is

10
doc/userguide/rules/meta.rst
Unescape Escape View File

@ -168,10 +168,14 @@ format of priority is::
metadata metadata
-------- --------
Suricata ignores the words behind meta data. Suricata supports this
keyword because it is part of the signature language. The format is::
metadata:......; The meatadata keyword allows additional, non-functional information to
be added to the signature. While the format is free-form, it is
recommended to stick to key, value pairs as Suricata can include these
in eve alerts. The format is::
metadata: key value;
metadata: key value, key value;
target target
------ ------

Write Preview
Loading…
Cancel
Save