-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
output/reference: Include reference information in alert (if configured) #11089
base: master
Are you sure you want to change the base?
Conversation
Issue: 4974 Optionally include rule references with the alert. Since there can be multiple reference keywords, they are collected into an array.
Issue: 4974
Issue: 4974
Issue: 4974 Remove an unneeded NULL check for the JSON output context in AlertJsonHeader because the caller presumes that it's non-NULL and dereferences it to get the context flags.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11089 +/- ##
===========================================
+ Coverage 64.19% 83.75% +19.55%
===========================================
Files 847 922 +75
Lines 136684 250478 +113794
===========================================
+ Hits 87750 209785 +122035
+ Misses 48934 40693 -8241
Flags with carried forward coverage won't be shown. Click here to find out more. |
Given a rule with "references": [
"http://www.vpngate.net"
], what are the other possibilities? I guess I had expected something more like:
|
Information: QA ran without warnings. Pipeline 20653 |
The reference associated with the signature has already been transformed from the scheme/value layout using A more complicated example is a rule with a reference: |
Continuation of #11079
When configured, include the reference value in the alert. The configuration value is in the
alert
section: types.alert.reference. The default value is off/no. Set to yes to include the expanded reference from the rule in the alert record.Link to redmine ticket: 4974
Describe changes:
reference
value to suricata.yaml.in (default no/off)references: [ "ref-1" [, "ref-2" [, ...]]]
Updates:
Provide values to any of the below to override the defaults.
SV_BRANCH=OISF/suricata-verify#1808