Actions
Feature #1005
openconditional logging: controlling what gets logged
Effort:
Difficulty:
Label:
Description
For http, files, tls, dns, etc.
Per log option: enabled, conditional, disabled
Per rule keyword: log:(all|tls|http|dns|file);
Updated by Andreas Herz over 7 years ago
- Related to Feature #821: conditional logging: output steering added
Updated by Andreas Herz over 7 years ago
- Related to Feature #821: conditional logging: output steering added
Updated by Andreas Herz over 7 years ago
- Related to deleted (Feature #821: conditional logging: output steering)
Updated by Victor Julien over 6 years ago
- Related to Feature #843: Custom http logging filter functionality added
Updated by Victor Julien about 5 years ago
- Related to Feature #2661: output the http-body-data to eve.json added
Updated by Victor Julien about 5 years ago
- Related to Feature #2055: Optionally logging on files.json - Not log every file, only certain files that are stored and extracted added
Updated by Victor Julien about 5 years ago
- Related to Feature #1950: allow configuration of file-store types added
Updated by Victor Julien about 5 years ago
Dumping some notes about what this could look like.
The idea here is to add a new 'config' action with a 'config' keyword that would allow the rule writer to enable/disable certain features for a certain scope.
config tcp any any -> any any (config:<subsys>, <enable>, type <subtype>, scope <scope>; .. ) config tcp any any -> any any (config:logging, disable, type file, scope flow; .. ) config http any any -> any any (http.uri; content:"/index.html"; config:logging, disable, type file, scope flow; .. ) config dns any any -> any any (dns.query; content:"google.com"; endswith; config:logging, disable, type proto, scope tx; .. ) config logging: state: enable/disable type: proto (depends on alproto, so http, smb, etc) file alert drop scope: packet flow tx file src_ip dest_ip ip_pair bypass: state: enable/disable scope: flow src_ip dest_ip ip_pair inspect (pass): state: enable/disable type: packet payload applayer file stream-events (config ... (stream_is_lossy; config:inspect, disable, type stream-events, scope flow; ...)) scope: packet flow tx file src_ip dest_ip ip_pair
Updated by Victor Julien about 5 years ago
- Subject changed from conditional logging to conditional logging: controlling what gets logged
Updated by Victor Julien almost 5 years ago
- Target version changed from TBD to 6.0.0beta1
Updated by Victor Julien almost 5 years ago
- Priority changed from Normal to High
Updated by Victor Julien almost 5 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien over 4 years ago
- Target version changed from 6.0.0beta1 to 7.0.0-beta1
Updated by Victor Julien about 4 years ago
- Related to Feature #121: Alert on domain name look up, capture traffic for corresponding IP added
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Actions