Project

General

Profile

Actions

Feature #2253

closed

Log rule metadata in alert event

Added by Eric Leblond almost 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Emerging threats and Positive technologies are now using metadata to store additional high level info in the signatures. Following usage describe in Snort documentation and already implemented in sourcefire ruleset, they are using a key [value without comma] format.

This provides really interesting information to the analyst and he would benefit of being able to use it in search on the storage backend.

Suricata could provide that by storing the metadata as a dictionary under the alert subobject.

Actions #1

Updated by Victor Julien almost 4 years ago

  • Subject changed from Log alert metadata in alert event to Log rule metadata in alert event
Actions #2

Updated by Andreas Herz almost 4 years ago

  • Target version set to TBD
Actions #3

Updated by Jason Ish over 3 years ago

  • Status changed from New to Closed
  • Target version changed from TBD to 4.1beta1

Merged as part of this PR: https://github.com/OISF/suricata/pull/3209

The merged version logs all metadata values as lists so we don't have to make a decision as to what should be logged flat, or as a list.

Actions

Also available in: Atom PDF