6 Commits (c052e23348e71e4fef27204642eee56ac476ea42)

Author	SHA1	Message	Date
Pierre Chifflier	6eb48e1e93	Add ikev2 to userguide	7 years ago
Giuseppe Longo	fb66d45754	doc: introduce dns compact logging	7 years ago
Jason Ish	74e036d09f	doc: update eve/alert/metadata configuration	7 years ago
Martin Natano	fe9cac5870	eve/alert: include rule text in alert output ... For SIEM analysis it is often useful to refer to the actual rules to find out why a specific alert has been triggered when the signature message does not convey enough information. Turn on the new rule flag to include the rule text in eve alert output. The feature is turned off by default. With a rule like this: alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;) The eve alert output might look something like this (pretty-printed for readability): { "timestamp": "2017-08-14T12:35:05.830812+0200", "flow_id": 1919856770919772, "in_iface": "eth0", "event_type": "alert", "src_ip": "10.20.30.40", "src_port": 50968, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "alert": { "action": "allowed", "gid": 1, "signature_id": 42, "rev": 0, "signature": "Google DNS server contacted", "category": "", "severity": 3, "rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)" }, "app_proto": "dns", "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 81, "bytes_toclient": 0, "start": "2017-08-14T12:35:05.830812+0200" } } Feature #2020	7 years ago
Eric Leblond	72c8cd67d5	doc: documentation update on metadata	7 years ago
Jason Ish	ab939f4aaa	doc: breakout eve-log section to a partial file ... Both the suricata.yaml and eve configuration sections included the eve-log section from suricata.yaml. First, sync these up with the actual suricata.yaml then break it out into its own file, so only one file needs to be kept in sync with the actual configuration file.	7 years ago