Project

General

Profile

Actions

Feature #1005

open

conditional logging: controlling what gets logged

Added by Victor Julien about 11 years ago. Updated about 2 years ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

For http, files, tls, dns, etc.

Per log option: enabled, conditional, disabled

Per rule keyword: log:(all|tls|http|dns|file);


Subtasks 1 (0 open1 closed)

Feature #3823: conditional logging: tx log filteringClosedVictor JulienActions

Related issues 6 (5 open1 closed)

Related to Suricata - Feature #821: conditional logging: output steeringNewCommunity TicketActions
Related to Suricata - Feature #843: Custom http logging filter functionalityClosedCommunity TicketActions
Related to Suricata - Feature #2661: output the http-body-data to eve.jsonNewCommunity TicketActions
Related to Suricata - Feature #2055: Optionally logging on files.json - Not log every file, only certain files that are stored and extractedNewOISF DevActions
Related to Suricata - Feature #1950: allow configuration of file-store typesNewCommunity TicketActions
Related to Suricata - Feature #121: Alert on domain name look up, capture traffic for corresponding IPNewCommunity TicketActions
Actions #1

Updated by Victor Julien about 11 years ago

  • Target version set to TBD
Actions #2

Updated by Andreas Herz almost 9 years ago

  • Assignee set to OISF Dev
Actions #3

Updated by Andreas Herz over 7 years ago

  • Related to Feature #821: conditional logging: output steering added
Actions #4

Updated by Andreas Herz over 7 years ago

  • Related to Feature #821: conditional logging: output steering added
Actions #5

Updated by Andreas Herz over 7 years ago

  • Related to deleted (Feature #821: conditional logging: output steering)
Actions #6

Updated by Victor Julien over 6 years ago

  • Related to Feature #843: Custom http logging filter functionality added
Actions #7

Updated by Victor Julien about 5 years ago

  • Related to Feature #2661: output the http-body-data to eve.json added
Actions #8

Updated by Victor Julien about 5 years ago

  • Related to Feature #2055: Optionally logging on files.json - Not log every file, only certain files that are stored and extracted added
Actions #9

Updated by Victor Julien about 5 years ago

  • Related to Feature #1950: allow configuration of file-store types added
Actions #10

Updated by Victor Julien about 5 years ago

Dumping some notes about what this could look like.

The idea here is to add a new 'config' action with a 'config' keyword that would allow the rule writer to enable/disable certain features for a certain scope.

config tcp any any -> any any (config:<subsys>, <enable>, type <subtype>, scope <scope>; .. )

config tcp any any -> any any (config:logging, disable, type file, scope flow; .. )
config http any any -> any any (http.uri; content:"/index.html"; config:logging, disable, type file, scope flow; .. )
config dns any any -> any any (dns.query; content:"google.com"; endswith; config:logging, disable, type proto, scope tx; .. )

config
  logging:
    state: enable/disable
    type:
      proto (depends on alproto, so http, smb, etc)
      file
      alert
      drop
    scope:
      packet
      flow
      tx
      file
      src_ip
      dest_ip
      ip_pair
  bypass:
    state: enable/disable
    scope:
      flow
      src_ip
      dest_ip
      ip_pair
  inspect (pass):
    state: enable/disable
    type:
      packet
      payload
      applayer
      file
      stream-events (config ... (stream_is_lossy; config:inspect, disable, type stream-events, scope flow; ...))
    scope:
      packet
      flow
      tx
      file
      src_ip
      dest_ip
      ip_pair
Actions #11

Updated by Victor Julien about 5 years ago

  • Subject changed from conditional logging to conditional logging: controlling what gets logged
Actions #12

Updated by Victor Julien almost 5 years ago

  • Target version changed from TBD to 6.0.0beta1
Actions #13

Updated by Victor Julien almost 5 years ago

  • Priority changed from Normal to High
Actions #14

Updated by Victor Julien almost 5 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
Actions #15

Updated by Victor Julien over 4 years ago

  • Target version changed from 6.0.0beta1 to 7.0.0-beta1
Actions #16

Updated by Victor Julien about 4 years ago

  • Related to Feature #121: Alert on domain name look up, capture traffic for corresponding IP added
Actions #17

Updated by Victor Julien about 2 years ago

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Actions #18

Updated by Victor Julien about 2 years ago

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Actions

Also available in: Atom PDF