Actions
Feature #2015
closed
EL
JL
eve: add fileinfo in alert
Feature #2015:
eve: add fileinfo in alert
Effort:
Difficulty:
Label:
Description
Alert in EVE format do not have the fileinfo in them. It could be nice to add that to the list of fields displayed.
VJ Updated by Victor Julien about 9 years ago
- Target version set to TBD
VJ Updated by Victor Julien about 9 years ago
- Subject changed from Add fileinfo in alert to eve: add fileinfo in alert
- Assignee set to OISF Dev
VJ Updated by Victor Julien almost 7 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jeff Lucovsky
- Target version changed from TBD to 70
It may be a bit tricky to get from a file sig matching to adding the correct file to the alert record.
Couple of things: a signature that inspects files uses 'Signature::file_flags' to indicate this, e.g. by setting FILE_SIG_NEED_FILE
The specific file might be a bit harder. In protocols like SMB, NFS, FTP we have a file per tx and the tx id is unique and available in the alert. But for HTTP and SMTP we can have multiple files. Each file has a 'File::file_track_id', so perhaps this can be stored when an alert is generated based on a file.
VJ Updated by Victor Julien over 6 years ago
- Target version changed from 70 to 6.0.0beta1
VJ Updated by Victor Julien almost 6 years ago
This should be done after the jsonbuilder work is merged.
VJ Updated by Victor Julien almost 6 years ago
- Priority changed from Normal to High
JL Updated by Jeff Lucovsky almost 6 years ago
- Status changed from Assigned to In Review
VJ Updated by Victor Julien almost 6 years ago
- Status changed from In Review to Closed
- Priority changed from High to Normal
Actions