policy/files/unified2/main.zeek
- Unified2
- Namespace
Unified2
- Imports
Summary
Redefinable Options
The classification.config file you would like to use for your alerts. |
|
The gen-msg.map file you would like to use for your alerts. |
|
The sid-msg.map file you would like to use for your alerts. |
|
Directory to watch for Unified2 records. |
|
File to watch for Unified2 files. |
Types
Redefinitions
|
Events
Reconstructed “alert” which combines related events and packets. |
|
The event for accessing logged records. |
Hooks
Detailed Interface
Redefinable Options
- Unified2::classification_config
-
The classification.config file you would like to use for your alerts.
- Unified2::gen_msg
-
The gen-msg.map file you would like to use for your alerts.
- Unified2::sid_msg
-
The sid-msg.map file you would like to use for your alerts.
- Unified2::watch_dir
-
Directory to watch for Unified2 records.
- Unified2::watch_file
-
File to watch for Unified2 files.
Types
- Unified2::Info
- Type
-
- ts:
time
&log
Timestamp attached to the alert.
- id:
Unified2::PacketID
&log
Addresses and ports for the connection.
- sensor_id:
count
&log
Sensor that originated this event.
- signature_id:
count
&log
Sig id for this generator.
- signature:
string
&optional
&log
A string representation of the signature_id field if a sid_msg.map file was loaded.
- generator_id:
count
&log
Which generator generated the alert?
- generator:
string
&optional
&log
A string representation of the generator_id field if a gen_msg.map file was loaded.
- signature_revision:
count
&log
Sig revision for this id.
- classification_id:
count
&log
Event classification.
- classification:
string
&optional
&log
Descriptive classification string.
- priority_id:
count
&log
Event priority.
- event_id:
count
&log
Event ID.
- packet:
string
&optional
&log
Some of the packet data.
- ts:
- Attributes
Events
- Unified2::alert
- Type
event
(f:fa_file
, ev:Unified2::IDSEvent
, pkt:Unified2::Packet
)
Reconstructed “alert” which combines related events and packets.
- Unified2::log_unified2
- Type
event
(rec:Unified2::Info
)
The event for accessing logged records.