Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

Alert Data Fields

doug edited this page Aug 27, 2019 · 5 revisions

Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Alert-Data-Fields.

Introduction

Below are the fields derived from IDS alerts (Snort/Suricata), after being processed by Logstash:

type:snort
/etc/logstash/conf.d/1033_preprocess_snort.conf

alert
category
classification
source_ip
source_port
destination_ip
destination_port
gid
host
priority
protocol
rev
rule (added through augmentation)
rule_type
severity
sid
Signature_Info (added through augmentation)

Clone this wiki locally