output/reference: Include reference information in alert (if configured) #11758
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Issue: 4974 Optionally include rule references with the alert. Since there can be multiple reference keywords, they are collected into an array.
Issue: 4974
Issue: 4974
1. Use https instead of http everywhere
2. Organize and annotate references by
- Referenced by ET/Open and ET/Pro
- URL resolves and works as intended (to provide supplemental
information regarding a reference value, e.g., bug id, cve
value)
- URL no longer resolves
- URL resolves but doesn't work as intended (to provide
supplemental information)
- Not referenced by ET/Open nor ET/Pro
- URL resolves and works as intended (to provide supplemental
information regarding a reference value, e.g., bug id, cve
value)
- URL no longer resolves
- URL resolves but doesn't work as intended (to provide
supplemental information)
Issue: 4974 Remove unused parameters in output path for - AlertJsonMetadata - AlertJsonHeader
jlucovsky
requested review from
jufajardini,
victorjulien and
a team
as code owners
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11758 +/- ##
==========================================
- Coverage 82.63% 79.18% -3.46%
==========================================
Files 919 919
Lines 248943 248830 -113
==========================================
- Hits 205716 197030 -8686
- Misses 43227 51800 +8573
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: ERROR: QA failed on SURI_TLPR1_alerts_cmp.
Pipeline 22553 |
|
Lots of failing CI tests :-/ |
|
Continued in #11767 |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Continuation of #11668
When configured, include the reference value in the alert. The configuration value is in the
alertsection: types.alert.reference. The default value is off/no. Set to yes to include the expanded reference from the rule in the alert record.Link to redmine ticket: 4974
Describe changes:
referencevalue to suricata.yaml.in (default no/off)references: [ "ref-1" [, "ref-2" [, ...]]]Updates:
BUG_ONchecks when using reference key/values.Provide values to any of the below to override the defaults.
SV_BRANCH=OISF/suricata-verify#2037