RSA Admin

Chart on Snort Rules hits

Discussion created by RSA Admin Employee on Apr 20, 2015

Hi,

We’ve deployed Snort rules on the packet decoder, as described at https://community.emc.com/thread/187546?start=30&tstart=0, and it works great.


The problem I'm trying to solve is, that we need to chart the snort rules that are being matched, but the snort parser populates the risk.* metakeys. So if I make a rule, selecting ie. risk.info where threat.source=’snort rule’, we see the snort message of course, but lots of other values in risk.info

 

If the snort message were in a custom metakey, it would be easier to chart.

 

Do you know is there a way to have the snort parser update a custom metakey, ie. snort.message ?

Or do you have any other great ideas to solve my problem ?

 

Thanks in advance !


Best regards

Tommy Abrahamsson

Outcomes