mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
fe9cac5870
For SIEM analysis it is often useful to refer to the actual rules to
find out why a specific alert has been triggered when the signature
message does not convey enough information.
Turn on the new rule flag to include the rule text in eve alert output.
The feature is turned off by default.
With a rule like this:
alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;)
The eve alert output might look something like this (pretty-printed for
readability):
{
"timestamp": "2017-08-14T12:35:05.830812+0200",
"flow_id": 1919856770919772,
"in_iface": "eth0",
"event_type": "alert",
"src_ip": "10.20.30.40",
"src_port": 50968,
"dest_ip": "8.8.8.8",
"dest_port": 53,
"proto": "UDP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 42,
"rev": 0,
"signature": "Google DNS server contacted",
"category": "",
"severity": 3,
"rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)"
},
"app_proto": "dns",
"flow": {
"pkts_toserver": 1,
"pkts_toclient": 0,
"bytes_toserver": 81,
"bytes_toclient": 0,
"start": "2017-08-14T12:35:05.830812+0200"
}
}
Feature #2020
|
7 years ago | |
|---|---|---|
| .. | ||
| doxygen | ||
| userguide | 7 years ago | |
| AUTHORS | ||
| Basic_Setup.txt | ||
| CentOS5.txt | ||
| CentOS_56_Installation.txt | ||
| Debian_Installation.txt | ||
| Fedora_Core.txt | ||
| FreeBSD_8.txt | ||
| GITGUIDE | ||
| HTP_library_installation.txt | ||
| INSTALL | ||
| INSTALL.PF_RING | ||
| INSTALL.WINDOWS | ||
| Installation_from_GIT_with_PCRE-JIT.txt | ||
| Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt | ||
| Installation_with_PF_RING.txt | ||
| Mac_OS_X_106x.txt | ||
| Makefile.am | 7 years ago | |
| NEWS | ||
| OpenBSD_Installation_from_GIT.txt | ||
| README | ||
| Setting_up_IPSinline_for_Linux.txt | ||
| TODO | ||
| Third_Party_Installation_Guides.txt | ||
| Ubuntu_Installation.txt | ||
| Ubuntu_Installation_from_GIT.txt | ||
| Windows.txt | ||