OSSEC将解码器中允许的字段添加到规则描述中

我将OSSEC用于HIDS。

我创建了一个自定义解码器，并从日志中提取了字段，如srcip、dstip和协议。

这是使用测试的日志/ossec logtest

Sep  2 14:39:23 rana-HP-Notebook kernel: [21261.042146] [UFW BLOCK] IN=wlp19s0 OUT= MAC=cc:b0:da:66:20:c3:00:23:15:d4:dd:70:08:00 SRC=192.153.41.125 DST=192.153.41.12 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28858 PROTO=TCP SPT=2662 DPT=0 WINDOW=512 RES=0x00 URGP=0

为日志编写的解码器是：

<decoder name="iptables-blockedip">
<parent>iptables</parent>
<prematch offset="after_parent">^S+ [UFW BLOCK] IN=S+ OUT= MAC=S+ </prematch>
<regex offset="after_prematch">^SRC=(S+) DST=(S+) LEN=S+ TOS=S+ PREC=S+ TTL=S+ ID=S+ PROTO=(S+) SPT=(S+) DPT=(S+) WINDOW=S+ RES=S+ URGP=S+$</regex>
<order>srcip,dstip,protocol,srcport,dstport</order>
</decoder>

它的规则是：

<rule id="100002" level="8">
<decoded_as>iptables</decoded_as>
<description>An ip was blocked by the firewall</description>
</rule>

这是ossec logtest 的结果

**Phase 1: Completed pre-decoding.
full event: 'Sep  2 14:39:23 rana-HP-Notebook kernel: [21261.042146] [UFW BLOCK] IN=wlp19s0 OUT= MAC=cc:b0:da:66:20:c3:00:23:15:d4:dd:70:08:00 SRC=192.153.41.125 DST=192.153.41.12 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28858 PROTO=TCP SPT=2662 DPT=0 WINDOW=512 RES=0x00 URGP=0'
hostname: 'rana-HP-Notebook'
program_name: 'kernel'
log: '[21261.042146] [UFW BLOCK] IN=wlp19s0 OUT= MAC=cc:b0:da:66:20:c3:00:23:15:d4:dd:70:08:00 SRC=192.153.41.125 DST=192.153.41.12 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=28858 PROTO=TCP SPT=2662 DPT=0 WINDOW=512 RES=0x00 URGP=0'
**Phase 2: Completed decoding.
decoder: 'iptables'
srcip: '192.153.41.125'
dstip: '192.153.41.12'
proto: 'TCP'
srcport: '2662'
dstport: '0'
**Phase 3: Completed filtering (rules).
Rule id: '100002'
Level: '8'
Description: 'An ip was blocked by the firewall'

现在主要的问题是：

是否可以将解码器中的srcip添加到规则描述中，以便在发出警报时将其显示在描述中。

我对ossec logtest第3阶段的预期结果是：

**Phase 3: Completed filtering (rules).
Rule id: '100002'
Level: '8'
Description: 'An ip 192.153.41.125 was blocked by the firewall'