Actions
Feature #1005
openconditional logging: controlling what gets logged
Added by Victor Julien about 12 years ago. Updated 7 months ago.
Effort:
Difficulty:
Label:
Description
For http, files, tls, dns, etc.
Per log option: enabled, conditional, disabled
Per rule keyword: log:(all|tls|http|dns|file);
Updated by Andreas Herz over 8 years ago
- Related to Feature #821: conditional logging: output steering added
Updated by Andreas Herz over 8 years ago
- Related to Feature #821: conditional logging: output steering added
Updated by Andreas Herz over 8 years ago
- Related to deleted (Feature #821: conditional logging: output steering)
Updated by Victor Julien over 7 years ago
- Related to Feature #843: Custom http logging filter functionality added
Updated by Victor Julien about 6 years ago
- Related to Feature #2661: output the http-body-data to eve.json added
Updated by Victor Julien about 6 years ago
- Related to Feature #2055: Optionally logging on files.json - Not log every file, only certain files that are stored and extracted added
Updated by Victor Julien about 6 years ago
- Related to Feature #1950: allow configuration of file-store types added
Updated by Victor Julien almost 6 years ago
Dumping some notes about what this could look like.
The idea here is to add a new 'config' action with a 'config' keyword that would allow the rule writer to enable/disable certain features for a certain scope.
config tcp any any -> any any (config:<subsys>, <enable>, type <subtype>, scope <scope>; .. )
config tcp any any -> any any (config:logging, disable, type file, scope flow; .. )
config http any any -> any any (http.uri; content:"/index.html"; config:logging, disable, type file, scope flow; .. )
config dns any any -> any any (dns.query; content:"google.com"; endswith; config:logging, disable, type proto, scope tx; .. )
config
logging:
state: enable/disable
type:
proto (depends on alproto, so http, smb, etc)
file
alert
drop
scope:
packet
flow
tx
file
src_ip
dest_ip
ip_pair
bypass:
state: enable/disable
scope:
flow
src_ip
dest_ip
ip_pair
inspect (pass):
state: enable/disable
type:
packet
payload
applayer
file
stream-events (config ... (stream_is_lossy; config:inspect, disable, type stream-events, scope flow; ...))
scope:
packet
flow
tx
file
src_ip
dest_ip
ip_pair
Updated by Victor Julien almost 6 years ago
- Subject changed from conditional logging to conditional logging: controlling what gets logged
Updated by Victor Julien almost 6 years ago
- Target version changed from TBD to 6.0.0beta1
Updated by Victor Julien over 5 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien over 5 years ago
- Target version changed from 6.0.0beta1 to 7.0.0-beta1
Updated by Victor Julien almost 5 years ago
- Related to Feature #121: Alert on domain name look up, capture traffic for corresponding IP added
Updated by Victor Julien about 3 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien almost 3 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Updated by Victor Julien 7 months ago
- Target version changed from 8.0.0-beta1 to 9.0.0-beta1
Actions