For SIEM analysis it is often useful to refer to the actual rules to
find out why a specific alert has been triggered when the signature
message does not convey enough information.
Turn on the new rule flag to include the rule text in eve alert output.
The feature is turned off by default.
With a rule like this:
alert dns $HOME_NET any -> 8.8.8.8 any (msg:"Google DNS server contacted"; sid:42;)
The eve alert output might look something like this (pretty-printed for
readability):
{
"timestamp": "2017-08-14T12:35:05.830812+0200",
"flow_id":
1919856770919772,
"in_iface": "eth0",
"event_type": "alert",
"src_ip": "10.20.30.40",
"src_port": 50968,
"dest_ip": "8.8.8.8",
"dest_port": 53,
"proto": "UDP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 42,
"rev": 0,
"signature": "Google DNS server contacted",
"category": "",
"severity": 3,
"rule": "alert dns $HOME_NET any -> 8.8.8.8 any (msg:\"Google DNS server contacted\"; sid:43;)"
},
"app_proto": "dns",
"flow": {
"pkts_toserver": 1,
"pkts_toclient": 0,
"bytes_toserver": 81,
"bytes_toclient": 0,
"start": "2017-08-14T12:35:05.830812+0200"
}
}
Feature #2020
# packet: yes # enable dumping of packet (without stream segments)
# http-body: yes # enable dumping of http body in Base64
# http-body-printable: yes # enable dumping of http body in printable format
+ # rule: yes # enable dumping of signature definition
metadata: yes # add L7/applayer fields, flowbit and other vars to the alert
Alternatively to the `metadata` key it is also possible to select the application
# http-body: yes # enable dumping of http body in Base64
# http-body-printable: yes # enable dumping of http body in printable format
+ # rule: yes # enable dumping of signature definition
+
# Include extra data in alert records like the app-layer
# information and flow records. Default: yes.
#metadata: yes
SignatureParser parser;
memset(&parser, 0x00, sizeof(parser));
- s->sig_str = sigstr;
+ s->sig_str = SCStrdup(sigstr);
+ if (unlikely(s->sig_str == NULL)) {
+ SCReturnInt(-1);
+ }
int ret = SigParseBasics(de_ctx, s, sigstr, &parser, addrs_direction);
if (ret < 0) {
} while (ret == 1);
}
- s->sig_str = NULL;
-
DetectIPProtoRemoveAllSMs(s);
SCReturnInt(ret);
if (s->addr_dst_match6 != NULL) {
SCFree(s->addr_dst_match6);
}
+ if (s->sig_str != NULL) {
+ SCFree(s->sig_str);
+ }
SigRefFree(s);
SigMetadataFree(s);
/** Metadata */
DetectMetadata *metadata;
- /* Be careful, this pointer is only valid while parsing the sig,
- * to warn the user about any possible problem */
- const char *sig_str;
+ char *sig_str;
SignatureInitData *init_data;
#define LOG_JSON_HTTP_BODY BIT_U16(6)
#define LOG_JSON_HTTP_BODY_BASE64 BIT_U16(7)
#define LOG_JSON_RULE_METADATA BIT_U16(8)
+#define LOG_JSON_RULE BIT_U16(9)
#define LOG_JSON_METADATA (LOG_JSON_APP_LAYER | LOG_JSON_FLOW)
AlertJsonPacket(p, js);
}
+ /* signature text */
+ if (json_output_ctx->flags & LOG_JSON_RULE) {
+ hjs = json_object_get(js, "alert");
+ if (json_is_object(hjs))
+ json_object_set_new(hjs, "rule", json_string(pa->s->sig_str));
+ }
+
HttpXFFCfg *xff_cfg = json_output_ctx->xff_cfg;
/* xff header */
SetFlag(conf, "payload-printable", LOG_JSON_PAYLOAD, &flags);
SetFlag(conf, "http-body-printable", LOG_JSON_HTTP_BODY, &flags);
SetFlag(conf, "http-body", LOG_JSON_HTTP_BODY_BASE64, &flags);
+ SetFlag(conf, "rule", LOG_JSON_RULE, &flags);
ConfNode *rmetadata = ConfNodeLookupChild(conf, "rule-metadata");
if (rmetadata != NULL) {
# packet: yes # enable dumping of packet (without stream segments)
# http-body: yes # enable dumping of http body in Base64
# http-body-printable: yes # enable dumping of http body in printable format
+
rule-metadata: # dumping of key/value pairs defined by metadata keyword of rule
enabled: no # set to yes to enable
+ # rule: yes # enable dumping of signature definition
+
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
projects / thirdparty / suricata.git / commitdiff
