Feature #8245: Add payload-only-classtypes filter for EVE alert payload extraction - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #8245

open

Add payload-only-classtypes filter for EVE alert payload extraction

Added by Amir Boussejra about 15 hours ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

TBD

Effort:

low

Difficulty:

Label:

Description

Add a new configuration option to filter payload extraction in EVE JSON alerts based on the rule's classtype.

Currently, when payload: yes is enabled in the alert output, payloads are extracted for all alerts. In some environments we want payloads to be extracted only for specific rules (and we use `classtypes` for that).

I envision adding an optional payload-only-classtypes configuration parameter under the alert output type that accepts a list of classtype names.

When configured:
- Payloads are only extracted for alerts whose classtype matches one in the list
- If the list is empty or not configured, the default behavior is preserved (payloads extracted for all alerts when payload: yes)

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #8245

Add payload-only-classtypes filter for EVE alert payload extraction