Project

General

Profile

Actions

Documentation #2620

open

Documentation: tagged_packets / event_type packet

Added by Jack Mott about 3 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Improve logging documentation around tagged_packets and eve json field "event_type packet".


Related issues

Related to Documentation #2699: document all eve record types and fieldsAssignedSascha SteinbissActions
Actions #1

Updated by Andreas Herz about 3 years ago

  • Target version set to Documentation

We need to add it to the keywords section as well to the EVE (JSON Format) section.

Suggested example rule:


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HackerDefender? Root Kit Remote Connection Attempt Detected"; flow: established,to_server; content:"|01 9a 8c 66 af c0 4a 11 9e 3f 40 88 12 2c 3a 4a 84 65 38 b0 b4 08 0b af db ce 02 94 34 5f 22|"; rawbytes; tag: session, 20, packets; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2001743; classtype:trojan-activity; sid:2001743; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Actions #2

Updated by Victor Julien almost 3 years ago

Actions #3

Updated by Victor Julien over 2 years ago

  • Assignee set to Community Ticket
Actions #4

Updated by Victor Julien over 2 years ago

  • Target version changed from Documentation to TBD
Actions #5

Updated by Andreas Herz about 2 years ago

  • Tracker changed from Optimization to Documentation
Actions

Also available in: Atom PDF