You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Martin Natano fe9cac5870 eve/alert: include rule text in alert output ... For SIEM analysis it is often useful to refer to the actual rules to find out why a specific alert has been triggered when the signature message does not convey enough information. Turn on the new rule flag to include the rule text in eve alert output. The feature is turned off by default. With a rule like this: alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;) The eve alert output might look something like this (pretty-printed for readability): { "timestamp": "2017-08-14T12:35:05.830812+0200", "flow_id": 1919856770919772, "in_iface": "eth0", "event_type": "alert", "src_ip": "10.20.30.40", "src_port": 50968, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "alert": { "action": "allowed", "gid": 1, "signature_id": 42, "rev": 0, "signature": "Google DNS server contacted", "category": "", "severity": 3, "rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)" }, "app_proto": "dns", "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 81, "bytes_toclient": 0, "start": "2017-08-14T12:35:05.830812+0200" } } Feature #2020		8 years ago
..
eve	eve/alert: include rule text in alert output	8 years ago
files-json/elk	doc: fix sphinx warnings	9 years ago
custom-http-logging.rst	docs: sync up to recent redmine	9 years ago
custom-tls-logging.rst	log: tls custom format log	8 years ago
index.rst	doc: move log rotation to output section	8 years ago
log-rotation.rst	doc: add more details to log rotation doc	8 years ago
lua-output.rst	lua: add SCFlowId for getting the flow id	8 years ago
syslog-alerting-comp.rst	doc: rename from "sphinx" to "userguide"	9 years ago