Add a tag to IP addresses in alerts

lukashino · July 27, 2023, 11:23am

Hi all,

Considering I have a list of IP addresses in variables (e.g. HTTP_SERVERS: “[192.168.128.0/24]”, SMTP_SERVERS: “[192.168.10.0/24]”) and a ruleset with a rule e.g.
alert ip any any -> any any (msg: "test"; sid: 1;)

Is it possible to include a tag or some kind of information that would tell which variable(s) fit the IP addresses?

So that an alert would contain information something like:
192.168.10.32 (SMTP_SERVERS) -> 57.43.7.32 (unknown) "test"

Thanks.

Topic		Replies	Views
Query about custom rule	12	228	December 18, 2023
Disable alerts based on rule ID and IP Address combination Help	3	1854	December 9, 2020
$HOME_NET in suricata rule ignored? Rules rules , suricata	2	305	December 18, 2023
How to create ICMP alerts per packet Rules	1	800	December 1, 2023
Only getting alerts if $home_net and $external_net are set to "any" Help	1	1540	October 14, 2020

Add a tag to IP addresses in alerts

Related topics