Project

General

Profile

Actions

Feature #2015

closed

eve: add fileinfo in alert

Added by Eric Leblond over 7 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Alert in EVE format do not have the fileinfo in them. It could be nice to add that to the list of fields displayed.

Actions #1

Updated by Victor Julien over 7 years ago

  • Target version set to TBD
Actions #2

Updated by Victor Julien over 7 years ago

  • Subject changed from Add fileinfo in alert to eve: add fileinfo in alert
  • Assignee set to OISF Dev
Actions #3

Updated by Victor Julien about 5 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jeff Lucovsky
  • Target version changed from TBD to 70

It may be a bit tricky to get from a file sig matching to adding the correct file to the alert record.

Couple of things: a signature that inspects files uses 'Signature::file_flags' to indicate this, e.g. by setting FILE_SIG_NEED_FILE

The specific file might be a bit harder. In protocols like SMB, NFS, FTP we have a file per tx and the tx id is unique and available in the alert. But for HTTP and SMTP we can have multiple files. Each file has a 'File::file_track_id', so perhaps this can be stored when an alert is generated based on a file.

Actions #4

Updated by Victor Julien over 4 years ago

  • Target version changed from 70 to 6.0.0beta1
Actions #5

Updated by Victor Julien almost 4 years ago

This should be done after the jsonbuilder work is merged.

Actions #6

Updated by Victor Julien almost 4 years ago

  • Priority changed from Normal to High
Actions #7

Updated by Jeff Lucovsky almost 4 years ago

  • Status changed from Assigned to In Review
Actions #8

Updated by Victor Julien almost 4 years ago

  • Status changed from In Review to Closed
  • Priority changed from High to Normal
Actions

Also available in: Atom PDF