Actions
Feature #2015
closedeve: add fileinfo in alert
Effort:
Difficulty:
Label:
Description
Alert in EVE format do not have the fileinfo in them. It could be nice to add that to the list of fields displayed.
Actions
Added by Eric Leblond over 8 years ago. Updated over 5 years ago.
Description
Alert in EVE format do not have the fileinfo in them. It could be nice to add that to the list of fields displayed.
It may be a bit tricky to get from a file sig matching to adding the correct file to the alert record.
Couple of things: a signature that inspects files uses 'Signature::file_flags' to indicate this, e.g. by setting FILE_SIG_NEED_FILE
The specific file might be a bit harder. In protocols like SMB, NFS, FTP we have a file per tx and the tx id is unique and available in the alert. But for HTTP and SMTP we can have multiple files. Each file has a 'File::file_track_id', so perhaps this can be stored when an alert is generated based on a file.
This should be done after the jsonbuilder work is merged.