|
|
|
|
@ -163,10 +163,22 @@ Metadata::
|
|
|
|
|
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
|
|
|
|
|
# payload-printable: yes # enable dumping payload in printable (lossy) format
|
|
|
|
|
# packet: yes # enable dumping of packet (without stream segments)
|
|
|
|
|
metadata: yes # add L7/applayer fields, flowbit and other vars to the alert
|
|
|
|
|
|
|
|
|
|
Alternatively to the `metadata` key it is also possible to select the application
|
|
|
|
|
layer metadata to output on a per application layer basis ::
|
|
|
|
|
|
|
|
|
|
- alert:
|
|
|
|
|
http: yes # enable dumping of http fields
|
|
|
|
|
tls: yes # enable dumping of tls fields
|
|
|
|
|
ssh: yes # enable dumping of ssh fields
|
|
|
|
|
smtp: yes # enable dumping of smtp fields
|
|
|
|
|
dnp3: yes # enable dumping of dnp3 fields
|
|
|
|
|
flow: yes # enable dumping of a partial flow entry
|
|
|
|
|
vars: yes # enable dumping of flowbits and other vars
|
|
|
|
|
|
|
|
|
|
The `vars` will enable dumping of a set of key/value based on flowbits and other vars
|
|
|
|
|
such as named groups in regular expression.
|
|
|
|
|
|
|
|
|
|
DNS
|
|
|
|
|
~~~
|
|
|
|
|
|
Eric Leblond
8 years ago
committed by
Victor Julien