doc: some more info about alert format

author Eric Leblond <eric@regit.org>

Tue, 6 Jun 2017 16:45:52 +0000 (18:45 +0200)

committer Victor Julien <victor@inliniac.net>

Mon, 12 Jun 2017 17:21:52 +0000 (19:21 +0200)
author Eric Leblond <eric@regit.org>
Tue, 6 Jun 2017 16:45:52 +0000 (18:45 +0200)
committer Victor Julien <victor@inliniac.net>
Mon, 12 Jun 2017 17:21:52 +0000 (19:21 +0200)
diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst

index 2d2a5632a291cd4caeb0abcde79f0c23a452642c..bf69ad087fc433a743f1e945fc5f1357abf09bcd 100644 (file)
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -64,6 +64,27 @@ Example:
  
  Action is set to "allowed" unless a rule used the "drop" action and Suricata is in IPS mode, or when the rule used the "reject" action.
  
+It can also contain information about Source and Target of the attack in the alert.source and alert.target field it target keyword is used in
+the signature.
+
+::
+
+   "alert": {
+     "action": "allowed",
+     "gid": 1,
+     "signature_id": 1,
+     "rev": 1,
+     "signature": "HTTP body talking about corruption",
+     "severity": 3,
+     "source": {
+       "ip": "192.168.43.32",
+       "port": 36292
+     },
+     "target": {
+       "ip": "179.60.192.3",
+       "port": 80
+     },
+
  Event type: HTTP
  ----------------
author	Eric Leblond <eric@regit.org>
	Tue, 6 Jun 2017 16:45:52 +0000 (18:45 +0200)
committer	Victor Julien <victor@inliniac.net>
	Mon, 12 Jun 2017 17:21:52 +0000 (19:21 +0200)