Whether if possible extracting groups matched in pcre to msg field

Rules
,
1

Hello everyone,

I’m fairly new to Suricata and am looking to use it for asset discovery by analyzing pcap dumps from network switches. I’m wondering if it’s possible to extract specific matched groups (e.g., version numbers) from PCRE patterns and include them in the msg field of alerts. Any insights would be much appreciated. Thank you!

2

No, but they can be extracted to metadata that is logged as part of the alert, see: 8.7. Payload Keywords — Suricata 8.0.1 documentation

3

Thanks so much for your helpful response! :smiley: Given that, I intend to develop a log parsing and aggregating tool to concatenate the matched groups with the alert msg.