We’ve deployed Snort rules on the packet decoder, as described at https://community.emc.com/thread/187546?start=30&tstart=0, and it works great.
The problem I'm trying to solve is, that we need to chart the snort rules that are being matched, but the snort parser populates the risk.* metakeys. So if I make a rule, selecting ie. risk.info where threat.source=’snort rule’, we see the snort message of course, but lots of other values in risk.info
If the snort message were in a custom metakey, it would be easier to chart.
Do you know is there a way to have the snort parser update a custom metakey, ie. snort.message ?
Or do you have any other great ideas to solve my problem ?
Thanks in advance !