Feature #1320
closedpacket content in alert msg
Description
It would be handy if there would be a way to include part of the packet content (pcre match or n bytes at offset x) into "msg" part of the alert.
This would make extracting data from various protocols not supported explicitly much easier. For example extraction of sip caller and callee would be as easy as http url extraction now.
Updated by god lol over 9 years ago
Even better option would be export it into eve.json in some nicely structured way.
Updated by Peter Manev over 9 years ago
That is already implemented in 2.1beta1 -
https://redmine.openinfosecfoundation.org/issues/1208
Is this what you had in mind ?
Updated by god lol over 9 years ago
Yes and no - having entire payload dumped into .json is definitely better than nothing but on the other hand it will result in lot's of useless data transfers. Would be much better if there would be a way to selective choose which part of the payload is dumped and which is not. As far as I understood all the matching facilities are already there (pcre engine, offset-length byte selection etc) - would be nice to have an ability to use them not just for boolen outcome (match/doesn't), but have access to intermediary results as well - $1, $2 for pcre, content at offset etc, so they could be saved into .json instead of entire payload.
Updated by Andreas Herz over 8 years ago
- Assignee set to Anonymous
- Target version set to TBD
Updated by Victor Julien about 6 years ago
- Status changed from New to Closed
- Assignee deleted (
Anonymous) - Target version deleted (
TBD)
Addressed for EVE records by #2352: logging metadata from both rules and traffic.