doc: document target keyword

7 years ago · f5ad6a2095
parent 0c3a3101b1
commit f5ad6a2095
1 changed files with 17 additions and 0 deletions
--- a/doc/userguide/rules/meta.rst
+++ b/doc/userguide/rules/meta.rst
@ -179,3 +179,20 @@ keyword because it is part of the signature language.  The format is:
 ::

  metadata:......;
+
+Target
+------
+
+The target keyword allows the rules writer to specify which side of the
+alert is the target of the attack. If specified, the alert event is enhanced
+to contain information about source and target.
+
+The format is:
+
+::
+
+ target: [src_ip|dest_ip]
+
+If the value is src_ip then the source IP in the generated event (src_ip
+field in JSON) is the target of the attack. If target is set to dest_ip
+then the target is the destination IP in the generated event.