Project

General

Profile

Actions

Feature #2020

closed

eve: add body of signature to eve.json alert

Added by erik clark over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
Effort:
Difficulty:
Label:

Description

This is a request to add the body of a signature to the eve.json alert when it is fired. When an analyst examines an alert, having the payload is excellent, but without the context of the raw rule (which is of varying use depending on the analysts skill), sometimes work is put in on what would clearly be a false positive with the context of the rule in the alert.

This was submitted after discussion with Jason Ish.

Actions #1

Updated by Victor Julien over 4 years ago

  • Subject changed from Add body of signature to eve.json alert to eve: add body of signature to eve.json alert
  • Target version set to TBD
Actions #2

Updated by Andreas Herz over 4 years ago

  • Assignee set to Anonymous
Actions #3

Updated by Martin Natano about 4 years ago

Actions #4

Updated by Martin Natano about 4 years ago

Update PR available here: https://github.com/inliniac/suricata/pull/2881 ('signature-text' replaced with 'rule', as suggested by jasonish)

Actions #5

Updated by Martin Natano about 4 years ago

Update PR available here: https://github.com/inliniac/suricata/pull/2897 (proper error checking in out of memory conditions; noticed by inliniac)

Actions #6

Updated by Jason Ish over 3 years ago

  • Status changed from New to Closed
  • Target version changed from TBD to 4.1beta1
Actions

Also available in: Atom PDF