Alert Data Fields

Doug Burks edited this page Nov 8, 2017 · 3 revisions

Introduction

Below are the fields derived from IDS alerts (Snort/Suricata), after being processed by Logstash:

type:snort
/etc/logstash/conf.d/1033_preprocess_snort.conf

alert
category
classification
source_ip
source_port
destination_ip
destination_port
gid
host
priority
protocol
rev
rule (added through augmentation)
rule_type
severity
sid
Signature_Info (added through augmentation)

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.