New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
output: Add direction for eve JSON logs #3521
Conversation
After having mulled over this a bit I am inclined to change the "flow_direction" into a better name, just not sure what it should be ? event_direction maybe? |
I agree the field could be very useful. My primary concern with it is that in the various Suricata use cases (IDS, IPS) and corner cases (flow timeout, early shutdown, etc) it may not always lead to consistent values. So I think for this feature to be accepted we need test cases covering each of those scenarios in https://github.com/OISF/suricata-verify |
Hi Victor,
So this look fine to me, the feature gives great enhancement for my SIEM, especially for graphs and live maps, as well as for operators quick understanding of flows. |
What I was hoping for on the suricata-verify side, is a PR that adds tests for this feature and/or updates existing tests. That the existing tests have to pass is the default, but we need more tests to have confidence in this feature. |
@glongo has offered to create a more comprehensive test set to validate all variations of tcp, udp, midstream, async, ids, ips. |
@glongo you can take OISF/suricata-verify#25 as a starting point. |
@glongo have you been able to take a look at the tests? |
Please rebase and reopen with a comprehensive SV test PR as well. |
@victorjulien doing some looking around and so far, this is the most recent thing about direction detection in Suricata, did this get committed, what is required to enable its output? |
Link to redmine ticket: #2644
Describe changes:
This makes it easier to understand what direction the event actually happend in, so you don't have to wonder if a request is to or from a service depending on ports.
Example:
"flow_direction": "to_client",
"pcap_cnt": 23,
"event_type": "dns",
"src_ip": "10.0.0.10",
"src_port": 53,
"dest_ip": "10.0.0.201",
"dest_port": 52697,
I saw from #3438 that you tried to do this for Alerts, but i think it should be part of every event.
I also disabled this for IPS mode as it might behave weird in IPS mode.