log_incident

This ihandler can be used to export incidents in realtime to be processed by external programs.

Warning

This ihandler is in pre alpha state and it might be changed or removed in the future.

Configure

handlers

List of URLs to submit the information to. At the moment only file, http and https are supported.

Format

{
   "name": "<sensor-name>",
   "origin": "<name of the incident>",
   "timestamp": "<date in ISO 8601>",
   "data": {
      "connection": {
         "id": <internal ID>,
         "local_ip": "<local IP>",
         "local_port": <local port>,
         "remote_ip": "<remote IP>",
         "remote_hostname": "<remote hostname if resolvable>",
         "remote_port": <remote port>,
         "protocol": "<protocol>",
         "transport": "<transport tcp|udp>"
      }
   }
}

Example config

ihandlers/log_incident.yaml
# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0

- name: log_incident
  config:
    handlers:
      #- http://127.0.0.1:8080/
      - file://@DIONAEA_STATEDIR@/dionaea_incident.json