Feature #2020
closedeve: add body of signature to eve.json alert
Description
This is a request to add the body of a signature to the eve.json alert when it is fired. When an analyst examines an alert, having the payload is excellent, but without the context of the raw rule (which is of varying use depending on the analysts skill), sometimes work is put in on what would clearly be a false positive with the context of the rule in the alert.
This was submitted after discussion with Jason Ish.
Updated by Victor Julien almost 8 years ago
- Subject changed from Add body of signature to eve.json alert to eve: add body of signature to eve.json alert
- Target version set to TBD
Updated by Martin Natano over 7 years ago
Pull request available here: https://github.com/inliniac/suricata/pull/2879
Updated by Martin Natano over 7 years ago
Update PR available here: https://github.com/inliniac/suricata/pull/2881 ('signature-text' replaced with 'rule', as suggested by jasonish)
Updated by Martin Natano over 7 years ago
Update PR available here: https://github.com/inliniac/suricata/pull/2897 (proper error checking in out of memory conditions; noticed by inliniac)
Updated by Jason Ish almost 7 years ago
- Status changed from New to Closed
- Target version changed from TBD to 4.1beta1
This work has now been merged. See https://github.com/OISF/suricata/pull/2897 and https://github.com/OISF/suricata/pull/3209.