Feature #1320
closed
packet content in alert msg
Added by god lol over 9 years ago.
Updated about 6 years ago.
Description
It would be handy if there would be a way to include part of the packet content (pcre match or n bytes at offset x) into "msg" part of the alert.
This would make extracting data from various protocols not supported explicitly much easier. For example extraction of sip caller and callee would be as easy as http url extraction now.
Even better option would be export it into eve.json in some nicely structured way.
Yes and no - having entire payload dumped into .json is definitely better than nothing but on the other hand it will result in lot's of useless data transfers. Would be much better if there would be a way to selective choose which part of the payload is dumped and which is not. As far as I understood all the matching facilities are already there (pcre engine, offset-length byte selection etc) - would be nice to have an ability to use them not just for boolen outcome (match/doesn't), but have access to intermediary results as well - $1, $2 for pcre, content at offset etc, so they could be saved into .json instead of entire payload.
- Assignee set to Anonymous
- Target version set to TBD
- Status changed from New to Closed
- Assignee deleted (
Anonymous)
- Target version deleted (
TBD)
Addressed for EVE records by #2352: logging metadata from both rules and traffic.
Also available in: Atom
PDF