Actions
Feature #2015
closedeve: add fileinfo in alert
Effort:
Difficulty:
Label:
Description
Alert in EVE format do not have the fileinfo in them. It could be nice to add that to the list of fields displayed.
Updated by Victor Julien over 7 years ago
- Subject changed from Add fileinfo in alert to eve: add fileinfo in alert
- Assignee set to OISF Dev
Updated by Victor Julien over 5 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jeff Lucovsky
- Target version changed from TBD to 70
It may be a bit tricky to get from a file sig matching to adding the correct file to the alert record.
Couple of things: a signature that inspects files uses 'Signature::file_flags' to indicate this, e.g. by setting FILE_SIG_NEED_FILE
The specific file might be a bit harder. In protocols like SMB, NFS, FTP we have a file per tx and the tx id is unique and available in the alert. But for HTTP and SMTP we can have multiple files. Each file has a 'File::file_track_id', so perhaps this can be stored when an alert is generated based on a file.
Updated by Victor Julien about 5 years ago
- Target version changed from 70 to 6.0.0beta1
Updated by Victor Julien over 4 years ago
This should be done after the jsonbuilder work is merged.
Updated by Jeff Lucovsky over 4 years ago
- Status changed from Assigned to In Review
Updated by Victor Julien over 4 years ago
- Status changed from In Review to Closed
- Priority changed from High to Normal
Actions