Feature #8245
openAdd payload-only-classtypes filter for EVE alert payload extraction
Description
Add a new configuration option to filter payload extraction in EVE JSON alerts based on the rule's classtype.
Currently, when payload: yes is enabled in the alert output, payloads are extracted for all alerts. In some environments we want payloads to be extracted only for specific rules (and we use `classtypes` for that).
I envision adding an optional payload-only-classtypes configuration parameter under the alert output type that accepts a list of classtype names.
When configured:
- Payloads are only extracted for alerts whose classtype matches one in the list
- If the list is empty or not configured, the default behavior is preserved (payloads extracted for all alerts when payload: yes)
PA Updated by Philippe Antoine 10 days ago
- Status changed from New to In Review
- Assignee set to Amir Boussejra
https://github.com/OISF/suricata/pull/15042 was last PR
AB Updated by Amir Boussejra 9 days ago
New MR here:
https://github.com/OISF/suricata/pull/15531