suricata

Commit Graph

Author	SHA1	Message	Date
Martin Natano	fe9cac5870	eve/alert: include rule text in alert output For SIEM analysis it is often useful to refer to the actual rules to find out why a specific alert has been triggered when the signature message does not convey enough information. Turn on the new rule flag to include the rule text in eve alert output. The feature is turned off by default. With a rule like this: alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;) The eve alert output might look something like this (pretty-printed for readability): { "timestamp": "2017-08-14T12:35:05.830812+0200", "flow_id": 1919856770919772, "in_iface": "eth0", "event_type": "alert", "src_ip": "10.20.30.40", "src_port": 50968, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "alert": { "action": "allowed", "gid": 1, "signature_id": 42, "rev": 0, "signature": "Google DNS server contacted", "category": "", "severity": 3, "rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)" }, "app_proto": "dns", "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 81, "bytes_toclient": 0, "start": "2017-08-14T12:35:05.830812+0200" } } Feature #2020	8 years ago
Eric Leblond	72c8cd67d5	doc: documentation update on metadata	8 years ago
Jason Ish	ab939f4aaa	doc: breakout eve-log section to a partial file Both the suricata.yaml and eve configuration sections included the eve-log section from suricata.yaml. First, sync these up with the actual suricata.yaml then break it out into its own file, so only one file needs to be kept in sync with the actual configuration file.	8 years ago
Pascal Delalande	80f2fbac6e	rust/tftp: eve logging with rust	8 years ago
Pascal Delalande	0c99338e07	doc: update docs for DNS flags logging	8 years ago
Julian	f27b4fc8fe	redis: support for rpush in list mode This adds a new redis mode rpush. Also more consistent config keywords orientated at the redis command: lpush and publish. Keeping list and channel config keywords for backwards compatibility	8 years ago
Jason Ish	59d69666ea	doc: add more details to log rotation doc	8 years ago
Eric Leblond	b763c7ec11	doc: document http-body logging	8 years ago
Eric Leblond	9e581436a7	doc: info about new config for alert events in EVE	8 years ago
Eric Leblond	ef88689f1e	doc: add app_proto to alert event	8 years ago
Eric Leblond	f4374ffd0b	doc: some more info about alert format	8 years ago
Ray Ruvinskiy	7539973109	tls: logging for session resumption We assume session resumption has occurred if the Client Hello message included a session id, we have not seen the server certificate, but we have seen a Change Cipher Spec message from the server. Previously, these transactions were not logged at all because the server cert was never seen. Ticket: https://redmine.openinfosecfoundation.org/issues/1969	9 years ago
fooinha	36667ab8a1	doc: async mode for redis eve output async: true ## if redis replies are read asynchronously	9 years ago
Mats Klepsland	8b9f84bff2	doc: add documentation for date modifiers in eve-log	9 years ago
Mats Klepsland	37a12fe799	doc: add documentation for eve-log file rotation	9 years ago
Mats Klepsland	3b23387664	doc: add documentation for eve-log file permissions	9 years ago
Mats Klepsland	ee9f822b8e	doc: add documentation for tls_cert_serial keyword	9 years ago
Mats Klepsland	e91bb09c91	doc: add documentation for TLS eve-log	9 years ago
Mats Klepsland	6a382259f8	doc: documentation for custom JSON flags in eve-log	9 years ago
Victor Julien	4126fd82a0	doc: small eve update: add dns	9 years ago
Victor Julien	aaf0fe4d29	doc: eve update	9 years ago
Andi	8e655cf107	eve-json-format: add newest version from the wiki This was added by pevma in the wiki, so should go into the sphinx doc as well.	9 years ago
Jason Ish	2751baae46	doc: rename from "sphinx" to "userguide"	9 years ago

1 2

73 Commits (f211a330ddfbac8a6d0b85ea5f2ee0fcc1ccad3d)