After malicious traffic matches a signature, the third-generation engine extracts the evidence collection field content customized by the user in the signature and displays it in the IPS response log. Common evidence collection is to capture packets during attack, and while evidence collection using a customized field is more flexible.

When the user wants to extract fields from malicious traffic as evidence collection basis after a signature is matched, the keyword **log** can be used. An example is as follows:

```
flow: message; pkt_data; content:"dNCLMCYMRzU"; http_uri; log:http_uri,http_host;
```

If the HTTP URI contains **dNCLMCYMRzU**, the rule is matched. **<font color = red>log:http_uri, http_host;</font>** are the customized evidence collection keywords. In this case, the URI content and HOST content are extracted and displayed in the IPS response log for reference during evidence collection.

When writing evidence collection keywords, pay attention to the following points:

- The configured evidence collection field must be written in the last part of a rule. A maximum of five evidence collection fields can be configured in a rule. Currently, a total of 189 bytes can be extracted from evidence collection.
- The detection part must be included in a rule. A signature cannot contain only the evidence collection part.
- Evidence collection fields are separated by a comma (,) and ended with a semicolon (;).
- The protocols of evidence collection fields in the same signature must be the same.

### 6.2 Supported Evidence Collection Fields

Attack Evidence Collection Keyword log