Feature #667: Configurable Sensor_ID in Unified2 Output - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #667

closed

Configurable Sensor_ID in Unified2 Output

Added by Jake Gionet almost 12 years ago. Updated over 11 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jake Gionet

Target version:

1.4.1

Effort:

Difficulty:

Label:

Description

Make the "Sensor ID" field of the Unified2 output format capable of being set via configuration file. In environments where there are many sensors logging to a central logging device (i.e. enterprise deployment, SIEM logging, etc.) in Unified2 format, this would make it easier to distinguish what sensor an alert came from.

Based on section 5.3.8 of http://manual.snort.org/node44.html, the “Sensor ID” field in Unified2 alerts is completely unused. It appears that Suricata hardcodes this value to zero from looking at alert-unified2-alert.c (line 361).

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #667

Configurable Sensor_ID in Unified2 Output

Updated by Victor Julien almost 12 years ago

Updated by Jake Gionet almost 12 years ago

Updated by Victor Julien over 11 years ago