Feature #1830
closed
Added by Victor Julien over 8 years ago.
Updated over 8 years ago.
Description
When using the tag keyword special tag records are being written out to unified2. This way more packets than just the one triggering the alert are logged.
Eve should support the same thing. Probably through the 'alert' record with a special sid/gid like in unified2.
Actually unified2 doesn't have the special alert record with the tagged gid/sid anymore. A packet is a discrete record that contains an "event_id" and "event_second" to associate with the alert record previously seen in the unified file.
I thought we could do something similar, a "packet" eve record?
I like the packet eve record idea.
- Status changed from Assigned to Closed
- Target version changed from 70 to 3.1.2
Also available in: Atom
PDF