Added by Eric Leblond about 9 years ago. Updated almost 6 years ago.
Description
Alert in EVE format do not have the fileinfo in them. It could be nice to add that to the list of fields displayed.
It may be a bit tricky to get from a file sig matching to adding the correct file to the alert record.
Couple of things: a signature that inspects files uses 'Signature::file_flags' to indicate this, e.g. by setting FILE_SIG_NEED_FILE
The specific file might be a bit harder. In protocols like SMB, NFS, FTP we have a file per tx and the tx id is unique and available in the alert. But for HTTP and SMTP we can have multiple files. Each file has a 'File::file_track_id', so perhaps this can be stored when an alert is generated based on a file.
This should be done after the jsonbuilder work is merged.