Log rule metadata in alert event
Emerging threats and Positive technologies are now using metadata to store additional high level info in the signatures. Following usage describe in Snort documentation and already implemented in sourcefire ruleset, they are using a key [value without comma] format.
This provides really interesting information to the analyst and he would benefit of being able to use it in search on the storage backend.
Suricata could provide that by storing the metadata as a dictionary under the alert subobject.
Updated by Jason Ish over 5 years ago
- Status changed from New to Closed
- Target version changed from TBD to 4.1beta1
Merged as part of this PR: https://github.com/OISF/suricata/pull/3209
The merged version logs all metadata values as lists so we don't have to make a decision as to what should be logged flat, or as a list.