one click 'show all events for this flow' button

[inliniac]

Most of the time we'll have more than one event for a flow, e.g.a http event, fileinfo event and one or more alerts. Or various ssh scan alerts combined with a reputation alert.

I would love to see something that allows me to click on any event and then shows a view of all events related to this flow.

[inliniac]

Btw, in Suricata 2.1 all these records will share a 'flow_id' field.

[jasonish]

I've added the flow ID to the event details display with a link that constructs a query string to limit the result set to all events with that flow ID, and between the ip_src and dest_ip. I think it could be better placed for easy accessibility, but then again, I'm also thinking the details display could use some tuning up as well.

[inliniac]

Clicking it doesn't fully work yet, the URL just ends in "?q=" for me. I think it should add "+flow_id:"" or something similar to that. Tried from the alert view.

[jasonish]

I wonder if it's a browser caching issue - the updated html loaded but the js didn't? I'll need to learn how to deal with the cache in single page apps like this.

On Jan 14, 2015, at 5:56 AM, Victor Julien notifications@github.com wrote:

Clicking it doesn't fully work yet, the URL just ends in "?q=" for me. I think it should add "+flow_id:"" or something similar to that. Tried from the alert view.

—
Reply to this email directly or view it on GitHub.

[inliniac]

That was it!

[jasonish]

In master. The generated query string has been tightened up a bit from the first version.