Project

General

Profile

Actions

Feature #2253

closed

Log rule metadata in alert event

Added by Eric Leblond about 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Emerging threats and Positive technologies are now using metadata to store additional high level info in the signatures. Following usage describe in Snort documentation and already implemented in sourcefire ruleset, they are using a key [value without comma] format.

This provides really interesting information to the analyst and he would benefit of being able to use it in search on the storage backend.

Suricata could provide that by storing the metadata as a dictionary under the alert subobject.

Actions

Also available in: Atom PDF