The `vars` will enable dumping of a set of key/value based on flowbits and other vars
such as named groups in regular expression.
+It is also possible to log key/value pairs defined by the metadata keyword on rule. To
+do so you need to set `enabled` to yes under `rule-metadata` ::
+
+ - alert:
+ metadata: yes # add L7/applayer fields, flowbit and other vars to the alert
+ rule-metadata: # dumping of key/value pairs defined by metadata keyword of rule
+ enabled: yes # set to yes to enable
+ output-array: no # output value of key as an array
+ array-keys: [tag] # comma separated array of keys to output as array
+
+This will add a `alert.metadata` object in the alert event.
+
DNS
~~~
# "tag" keyword.
tagged-packets: yes
+ rule-metadata: # dumping of key/value pairs defined by metadata keyword of rule
+ enabled: no # set to yes to enable
+ output-array: no # output value of key as an array
+ array-keys: [tag] # comma separated array of keys to output as array
+
# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)
# with the one reported in the X-Forwarded-For HTTP header. This is
metadata
--------
-Suricata ignores the words behind meta data. Suricata supports this
-keyword because it is part of the signature language. The format is::
- metadata:......;
+The meatadata keyword allows additional, non-functional information to
+be added to the signature. While the format is free-form, it is
+recommended to stick to key, value pairs as Suricata can include these
+in eve alerts. The format is::
+
+ metadata: key value;
+ metadata: key value, key value;
target
------
projects / thirdparty / suricata.git / commitdiff
