|
|
|
@ -179,3 +179,20 @@ keyword because it is part of the signature language. The format is:
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
metadata:......;
|
|
|
|
|
|
|
|
|
|
Target
|
|
|
|
|
------
|
|
|
|
|
|
|
|
|
|
The target keyword allows the rules writer to specify which side of the
|
|
|
|
|
alert is the target of the attack. If specified, the alert event is enhanced
|
|
|
|
|
to contain information about source and target.
|
|
|
|
|
|
|
|
|
|
The format is:
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
target: [src_ip|dest_ip]
|
|
|
|
|
|
|
|
|
|
If the value is src_ip then the source IP in the generated event (src_ip
|
|
|
|
|
field in JSON) is the target of the attack. If target is set to dest_ip
|
|
|
|
|
then the target is the destination IP in the generated event.
|
|
|
|
|