New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Target keyword v3 #2767

Closed
wants to merge 7 commits into
base: master
from

Conversation

2 participants
@regit
Member

regit commented Jun 12, 2017

Update of #2764 addressing comments and fixing a problem found during testing.

PR builds:

regit added some commits Dec 16, 2016

detect-target: introduce new keyword
The target keyword allows rules writer to specify information about
target of the attack. Using this keyword in a signature causes
some fields to be added in the EVE output. It also fixes ambiguity
in the Prelude output.
output-json-alert: output source and target
Use metadata provided information to output the Source and Target
in the definition of IDMEF.

The output is now the following:

  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1,
    "rev": 1,
    "signature": "connection to home",
    "category": "",
    "severity": 3,
    "source": {
      "ip": "2001:31d0:000a:f68a:0000:0000:0000:0001",
      "port": 80
    },
    "target": {
      "ip": "2a01:0e34:ee97:b130:c685:08ff:dab3:c9c8",
      "port": 48390
    }
alert-prelude: correctly set Source and Target
IDMEF alert contains two entities named Source and Target that are
defined using common language:
* "The Source class contains information about the possible source(s) of
   the event(s) that generated an alert."
* "The Target class contains information about the possible target(s) of
   the event(s) that generated an alert."

Previous alerts event were not following that so we can updated the code
when we know the direction thanks to the metadata field.
output-json-alert: don't decref used object
In the unlikely case of a allocation error we will still use the
existing object so it should not be decref and freed.

@inliniac inliniac referenced this pull request Jun 12, 2017

Merged

Next/20170612/v4 #2776

@inliniac

This comment has been minimized.

Member

inliniac commented Jun 12, 2017

Merged in #2776, thanks Eric!

@inliniac inliniac closed this Jun 12, 2017

@regit

This comment has been minimized.

Member

regit commented Jun 12, 2017

\o/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment