Hi all,
Considering I have a list of IP addresses in variables (e.g. HTTP_SERVERS: “[192.168.128.0/24]”, SMTP_SERVERS: “[192.168.10.0/24]”) and a ruleset with a rule e.g.
alert ip any any -> any any (msg: "test"; sid: 1;)
Is it possible to include a tag or some kind of information that would tell which variable(s) fit the IP addresses?
So that an alert would contain information something like:
192.168.10.32 (SMTP_SERVERS) -> 57.43.7.32 (unknown) "test"
Thanks.