Project

General

Profile

Actions
Copy link

Feature #2253

closed

Log rule metadata in alert event

Added by Eric Leblond over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Leblond
Target version:
4.1beta1
Effort:
Difficulty:
Label:

Description

Emerging threats and Positive technologies are now using metadata to store additional high level info in the signatures. Following usage describe in Snort documentation and already implemented in sourcefire ruleset, they are using a key [value without comma] format.

This provides really interesting information to the analyst and he would benefit of being able to use it in search on the storage backend.

Suricata could provide that by storing the metadata as a dictionary under the alert subobject.

Actions
Copy link
 #1

Updated by Victor Julien over 6 years ago

  • Subject changed from Log alert metadata in alert event to Log rule metadata in alert event
Actions
Copy link
 #2

Updated by Andreas Herz over 6 years ago

  • Target version set to TBD
Actions
Copy link
 #3

Updated by Jason Ish about 6 years ago

  • Status changed from New to Closed
  • Target version changed from TBD to 4.1beta1

Merged as part of this PR: https://github.com/OISF/suricata/pull/3209

The merged version logs all metadata values as lists so we don't have to make a decision as to what should be logged flat, or as a list.

Actions
Copy link

Also available in: Atom PDF