RSA Admin

Chart on Snort Rules hits

Discussion created by RSA Admin Employee on Apr 20, 2015


We’ve deployed Snort rules on the packet decoder, as described at, and it works great.

The problem I'm trying to solve is, that we need to chart the snort rules that are being matched, but the snort parser populates the risk.* metakeys. So if I make a rule, selecting ie. where threat.source=’snort rule’, we see the snort message of course, but lots of other values in


If the snort message were in a custom metakey, it would be easier to chart.


Do you know is there a way to have the snort parser update a custom metakey, ie. snort.message ?

Or do you have any other great ideas to solve my problem ?


Thanks in advance !

Best regards

Tommy Abrahamsson