henridf
commented
4 years ago Once this lands and the new packages are in the cloud, I'll validate them and open a brimsec/zq PR to bump the rev there.
Closed henridf closed 4 years ago
henridf
commented
4 years ago Once this lands and the new packages are in the cloud, I'll validate them and open a brimsec/zq PR to bump the rev there.
henridf
commented
4 years ago @philrz thanks for looking into this. I agree that we have to configure suricata in a way that produces consistent results, and have added runmode: single to the config.
This PR updates the Suricata yaml config to only log "alert" events, and to drop the app-layer and flow fields from these events.
I've still observed a couple of "event_type":"packet" events with this config but am not entirely sure how to remove them at this point.
Also some minor cleanup and a rev bump.