aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

userguide/eve: format and reorganize alert section

Browse Source 
The `field action` portion seemed to be comprised of a more generic
section that followed it. Also formatted the section for lines to be
within the character limit.
pull/9233/head
Juliana Fajardini 2 years ago committed by Victor Julien
parent 0437173848
commit 9900bdc162
1 changed files with 52 additions and 15 deletions
Show Stats Download Patch File Download Diff File

67
doc/userguide/output/eve/eve-json-format.rst
Unescape Escape View File

@ -89,23 +89,17 @@ generated the event.
Event type: Alert
-----------------
Field action
~~~~~~~~~~~~
Possible values: "allowed" and "blocked"
Example:
::
"action":"allowed"
This field contains data about a signature that matched, such as
``signature_id`` (``sid`` in the rule) and the ``signature`` (``msg`` in the
rule).
Action is set to "allowed" unless a rule used the "drop" action and Suricata is in IPS mode, or when the rule used the "reject" action.
It can also contain information about Source and Target of the attack in the alert.source and alert.target field if target keyword is used in
It can also contain information about Source and Target of the attack in the
``alert.source`` and ``alert.target`` field if target keyword is used in
the signature.
This event will also have the ``pcap_cnt`` field, when running in pcap mode, to
indicate which packet triggered the signature.
::
"alert": {
@ -147,6 +141,49 @@ the signature.
}
},
Action field
~~~~~~~~~~~~
Possible values: "allowed" and "blocked".
Example:
::
"action":"allowed"
Action is set to "allowed" unless a rule used the "drop" action and Suricata is
in IPS mode, or when the rule used the "reject" action. It is important to note
that this does not necessarily indicate the final verdict for a given packet or
flow, since one packet may match on several rules.
.. _verdict-alert:
Verdict
~~~~~~~
An object containning info on the final action that will be applied to a given
packet, based on all the signatures triggered by it and other possible events
(e.g., a flow drop). For that reason, it is possible for an alert with
an action ``allowed`` to have a verdict ``drop``, in IPS mode, for instance, if
that packet was dropped due to a different alert.
* Action: ``alert``, ``pass``, ``drop`` (this latter only occurs in IPS mode)
* Reject-target: ``to_server``, ``to_client``, ``both`` (only occurs for 'reject' rules)
* Reject: an array of strings with possible reject types: ``tcp-reset``,
``icmp-prohib`` (only occurs for 'reject' rules)
Example:
::
"verdict": {
"action": "drop",
"reject-target": "to_client",
"reject": "[icmp-prohib]"
}
Pcap Field
~~~~~~~~~~
@ -2532,4 +2569,4 @@ Example of DHCP log entry (extended logging enabled):
"rebinding_time":43200,
"client_id":"54:ee:75:51:e0:66",
"dns_servers":["192.168.1.50","192.168.1.49"]
}
}

Write Preview
Loading…
Cancel
Save