Search Time Extraction for Suricata

rba-community / TA-opnsense

Splunk Add on for OPNsense firewall

https://ta-opnsense.rba.community

Apache License 2.0

1 stars 1 forks source link

Search Time Extraction for Suricata #11

Closed eaditjhw closed 4 years ago

eaditjhw commented 4 years ago

When a 'Drop' rule is triggered in the log the Search Time Extraction for the signature_id field is "Drop" rather than the actual signature_id.. Can this be easily addressed?

As in the following sample raw syslog event:

Jan 01 00:00:00 hostname suricata[5947]: [Drop] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} n.n.n.n:80 -> n.n.n.n:62636

ZachChristensen28 commented 4 years ago

Thanks for catching this! I pulled an update to the master branch that will resolve the issue (See pull request #12 for details).