When working with large ruleset eg. ET Pro, I'd like to use the metadata rule option to append my own key value pairs. This gives a great amount of flexibility in parsing eve.json events from Suricata.
The current function doesn't give this aption as shown by this example:
line = 'alert ip [104.206.128.14] any -> $HOME_NET any (msg:"ET 3CORESec Poor Reputation IP group 1"; reference:url,blacklist.3coresec.net/lists/et-open.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2525000; rev:74; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag 3CORESec, signature_severity Major, created_at 2020_07_20, updated_at 2020_10_28;)' r = rule.parse(line) r["metadata"].append("mymetadatakey somevalue") print(r["metadata"]) print(r)
While my mutation is stored inr["metadata"] it doesn't get shown when I print r.
When working with large ruleset eg. ET Pro, I'd like to use the metadata rule option to append my own key value pairs. This gives a great amount of flexibility in parsing eve.json events from Suricata.
The current function doesn't give this aption as shown by this example:
line = 'alert ip [104.206.128.14] any -> $HOME_NET any (msg:"ET 3CORESec Poor Reputation IP group 1"; reference:url,blacklist.3coresec.net/lists/et-open.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2525000; rev:74; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag 3CORESec, signature_severity Major, created_at 2020_07_20, updated_at 2020_10_28;)' r = rule.parse(line) r["metadata"].append("mymetadatakey somevalue") print(r["metadata"]) print(r)While my mutation is stored in
r["metadata"]it doesn't get shown when I printr.