Feature #2352: eve: add "metadata" field to alert (rework of vars) - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #2352

closed

eve: add "metadata" field to alert (rework of vars)

Added by Jason Ish almost 7 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jason Ish

Target version:

4.1beta1

Effort:

Difficulty:

Label:

Description

Re-work the "vars" object into a top-level "metadata" field that will initially contain flowbits, flowvars, flowints and pktvars. For example:

{
  "metadata": {
    "flowbits": [
      "/traffic/id/facebook",
      "ET.TorIP" 
    ],
    "flowvars": {
      "flow_var0_name": "flow_var0_value",
      "flow_var1_name": "flow_var1_value" 
    },
    "flowints": {
      "flow_int0_name": 0,
      "flow_int1_name": 1
    },
    "pktvars": {
      "pkt_var0_name": "pkt_var0_value",
      "pkt_var1_name": "pkt_var1_value" 
    }
  }
}

Also, unlike the vars object, log this to flow/netflow event types as well. Perhaps all event types?

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #2352

eve: add "metadata" field to alert (rework of vars)

Updated by Victor Julien almost 7 years ago

Updated by Jason Ish almost 7 years ago

Updated by Andreas Herz almost 7 years ago

Updated by Victor Julien over 6 years ago