Project

General

Profile

Actions

Documentation #4658

open

Add/improve documentation for pcre substring capture logging

Added by Juliana Fajardini Reichow over 3 years ago. Updated 4 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Currently, if a user wants to log a matching string from a rule that uses `pcre`, there isn't much documentation to help them understand how can they do that.
Our documentation has:
https://suricata.readthedocs.io/en/suricata-6.0.3/rules/payload-keywords.html#pcre-perl-compatible-regular-expressions
And some `suricata-verify` tests could provide some examples:
https://github.com/OISF/suricata-verify/blob/master/tests/eve-metadata/test.rules
And others in the eve-matadata-* dirs.

But we could have all that better documented.

(image offers context from ad hoc support offered in our IRC chat)


Files

Screenshot from 2021-09-02 16-41-26.png (56.9 KB) Screenshot from 2021-09-02 16-41-26.png Juliana Fajardini Reichow, 09/02/2021 03:37 PM
Actions

Also available in: Atom PDF