Feature #904: store tx id when generating an alert - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #904

closed

store tx id when generating an alert

Added by Victor Julien over 11 years ago. Updated about 11 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

2.0beta2

Effort:

Difficulty:

Label:

Description

The output modules have no way of knowing which TX generated an alert currently. The detection engine has this information available, but that can't be accessed by outputs.

It's probably enough to add a tx_id field to the PacketAlert struct, plus a flag to it's flag field to indicate the TX id field is used. The outputs can then use this info.

A use case is this XFF patch: https://github.com/inliniac/suricata/pull/241/files#pullrequestreviewcomment-3095686, it retrieves the XFF field from the TX, but this needs to be the XFF field from the correct TX.

When implemented, please also add the TX id to the output of alert-debug.log.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #904

store tx id when generating an alert

Updated by Anoop Saldanha over 11 years ago

Updated by Anoop Saldanha over 11 years ago

Updated by Victor Julien over 11 years ago

Updated by Victor Julien about 11 years ago