Alerts
~~~~~~
-Alerts are event records for rule matches. They can be ammended with metadata,
-such as the HTTP record an alert was generated for.
+Alerts are event records for rule matches. They can be ammended with
+metadata, such as the application layer record (HTTP, DNS, etc) an
+alert was generated for, and elements of the rule.
Metadata::
- alert:
- # payload: yes # enable dumping payload in Base64
- # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
- # payload-printable: yes # enable dumping payload in printable (lossy) format
- # packet: yes # enable dumping of packet (without stream segments)
- # http-body: yes # enable dumping of http body in Base64
- # http-body-printable: yes # enable dumping of http body in printable format
- # rule: yes # enable dumping of signature definition
- metadata: yes # add L7/applayer fields, flowbit and other vars to the alert
-
-Alternatively to the `metadata` key it is also possible to select the application
-layer metadata to output on a per application layer basis ::
+ #payload: yes # enable dumping payload in Base64
+ #payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ #payload-printable: yes # enable dumping payload in printable (lossy) format
+ #packet: yes # enable dumping of packet (without stream segments)
+ #http-body: yes # enable dumping of http body in Base64
+ #http-body-printable: yes # enable dumping of http body in printable format
- - alert:
- http: yes # enable dumping of http fields
- tls: yes # enable dumping of tls fields
- ssh: yes # enable dumping of ssh fields
- smtp: yes # enable dumping of smtp fields
- dnp3: yes # enable dumping of dnp3 fields
- flow: yes # enable dumping of a partial flow entry
- vars: yes # enable dumping of flowbits and other vars
+ # metadata:
-The `vars` will enable dumping of a set of key/value based on flowbits and other vars
-such as named groups in regular expression.
+ # Include the decoded application layer (ie. http, dns)
+ #app-layer: true
-It is also possible to log key/value pairs defined by the metadata keyword on rule. To
-do so you need to set `enabled` to yes under `rule-metadata` ::
+ # Log the the current state of the flow record.
+ #flow: true
- - alert:
- metadata: yes # add L7/applayer fields, flowbit and other vars to the alert
- rule-metadata: # dumping of key/value pairs defined by metadata keyword of rule
- enabled: yes # set to yes to enable
- output-array: no # output value of key as an array
- array-keys: [tag] # comma separated array of keys to output as array
+ #rule:
+ # Log the metadata field from the rule in a structured
+ # format.
+ #metadata: true
-This will add a `alert.metadata` object in the alert event.
+ # Log the raw rule text.
+ #raw: false
DNS
~~~
# http-body: yes # enable dumping of http body in Base64
# http-body-printable: yes # enable dumping of http body in printable format
- # rule: yes # enable dumping of signature definition
+ # Enable the logging of tagged packets for rules using the
+ # "tag" keyword.
+ tagged-packets: yes
- # Include extra data in alert records like the app-layer
- # information and flow records. Default: yes.
- #metadata: yes
+ # Configure the metadata to be logged along with an
+ # alert. The following shows the default configuration
+ # which is used if this field is not provided or simply
+ # set to a truthful value. Setting of this section is only
+ # required if you wish to enable/disable specific fields.
+ #metadata:
- # If metadata is false this will enable logging of the
- # associated app-layer with the alert record.
- #app-layer: yes
+ # Include the decoded application layer (ie. http, dns)
+ app-layer: true
- # If metadata is false this will enable logging of the flow
- # record with the alert record.
- #flow: yes
+ # Log the the current state of the flow record.
+ flow: true
- # Enable the logging of tagged packets for rules using the
- # "tag" keyword.
- tagged-packets: yes
+ rule:
+ # Log the metadata field from the rule in a structured
+ # format.
+ metadata: true
- rule-metadata: # dumping of key/value pairs defined by metadata keyword of rule
- enabled: no # set to yes to enable
- output-array: no # output value of key as an array
- array-keys: [tag] # comma separated array of keys to output as array
+ # Log the raw rule text.
+ raw: false
# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)
projects / thirdparty / suricata.git / commitdiff
