Project

General

Profile

Actions
Copy link

Feature #1830

closed

support 'tag' in eve log

Added by Victor Julien almost 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
3.1.2
Effort:
Difficulty:
Label:

Description

When using the tag keyword special tag records are being written out to unified2. This way more packets than just the one triggering the alert are logged.

Eve should support the same thing. Probably through the 'alert' record with a special sid/gid like in unified2.

Actions
Copy link
 #1

Updated by Jason Ish over 7 years ago

Actually unified2 doesn't have the special alert record with the tagged gid/sid anymore. A packet is a discrete record that contains an "event_id" and "event_second" to associate with the alert record previously seen in the unified file.

I thought we could do something similar, a "packet" eve record?

Actions
Copy link
 #2

Updated by Victor Julien over 7 years ago

I like the packet eve record idea.

Actions
Copy link
 #4

Updated by Victor Julien over 7 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.1.2
Actions
Copy link

Also available in: Atom PDF