Snort mailing list archives
Re: snort3 alert_json appid fields
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Sun, 2 Aug 2020 08:32:10 +0200
Costas, if you're adding fields to the alert_json output, can I ask that you look at including all the information from the rules file as well?
From a SIEM integration viewpoint, it means that each record in the json
file is complete with supporting information about the event, and i don't have to cludge some sort of workaround to pull data from the rules files (say to show the references with the rule, or the metadata). Since the user chooses which fields to write to the JSON file in their snort.lua file's option, it will make it easier to display events. thanks Noah On Sun, Aug 2, 2020 at 12:23 AM Costas Kleopa (ckleopa) via Snort-devel < snort-devel () lists snort org> wrote:
Currently we do this by the IPS rules and the appid rule option. There are also some upcoming enhancements which we plan to discuss a better alternative, on a new blog coming up soon so keep an eye for that too. Thanks, CostasOn Aug 1, 2020, at 10:03 AM, Özkan KIRIK via Snort-devel <snort-devel () lists snort org> wrote: Hello, Is it possible to log the detected appId ? I couldn't find any relatedfield names for alert_json in manual.Regards _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- snort3 alert_json appid fields Özkan KIRIK via Snort-devel (Aug 01)
- Re: snort3 alert_json appid fields Costas Kleopa (ckleopa) via Snort-devel (Aug 01)
- Re: snort3 alert_json appid fields Noah Dietrich (Aug 01)
- Re: snort3 alert_json appid fields Özkan KIRIK via Snort-devel (Aug 02)
- Re: snort3 alert_json appid fields Costas Kleopa (ckleopa) via Snort-devel (Aug 01)