Feature #2015
closed
eve: add fileinfo in alert
Added by Eric Leblond over 7 years ago.
Updated over 4 years ago.
Description
Alert in EVE format do not have the fileinfo in them. It could be nice to add that to the list of fields displayed.
- Target version set to TBD
- Subject changed from Add fileinfo in alert to eve: add fileinfo in alert
- Assignee set to OISF Dev
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jeff Lucovsky
- Target version changed from TBD to 70
It may be a bit tricky to get from a file sig matching to adding the correct file to the alert record.
Couple of things: a signature that inspects files uses 'Signature::file_flags' to indicate this, e.g. by setting FILE_SIG_NEED_FILE
The specific file might be a bit harder. In protocols like SMB, NFS, FTP we have a file per tx and the tx id is unique and available in the alert. But for HTTP and SMTP we can have multiple files. Each file has a 'File::file_track_id', so perhaps this can be stored when an alert is generated based on a file.
- Target version changed from 70 to 6.0.0beta1
This should be done after the jsonbuilder work is merged.
- Priority changed from Normal to High
- Status changed from Assigned to In Review
- Status changed from In Review to Closed
- Priority changed from High to Normal
Also available in: Atom
PDF