Project

General

Profile

Feature #1005

conditional logging: controlling what gets logged

Added by Victor Julien over 7 years ago. Updated 4 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

For http, files, tls, dns, etc.

Per log option: enabled, conditional, disabled

Per rule keyword: log:(all|tls|http|dns|file);


Subtasks

Feature #3823: conditional logging: tx log filteringClosedVictor JulienActions

Related issues

Related to Feature #821: conditional logging: output steeringNewCommunity TicketActions
Related to Feature #843: Custom http logging filter functionalityNewCommunity TicketActions
Related to Feature #2661: output the http-body-data to eve.jsonNewCommunity TicketActions
Related to Feature #2055: Optionally logging on files.json - Not log every file, only certain files that are stored and extractedNewOISF DevActions
Related to Feature #1950: allow configuration of file-store typesNewCommunity TicketActions
Related to Feature #121: Alert on domain name look up, capture traffic for corresponding IPNewCommunity TicketActions
#1

Updated by Victor Julien over 7 years ago

  • Target version set to TBD
#2

Updated by Andreas Herz over 5 years ago

  • Assignee set to OISF Dev
#3

Updated by Andreas Herz about 4 years ago

  • Related to Feature #821: conditional logging: output steering added
#4

Updated by Andreas Herz about 4 years ago

  • Related to Feature #821: conditional logging: output steering added
#5

Updated by Andreas Herz about 4 years ago

  • Related to deleted (Feature #821: conditional logging: output steering)
#6

Updated by Victor Julien almost 3 years ago

  • Related to Feature #843: Custom http logging filter functionality added
#7

Updated by Victor Julien over 1 year ago

  • Related to Feature #2661: output the http-body-data to eve.json added
#8

Updated by Victor Julien over 1 year ago

  • Related to Feature #2055: Optionally logging on files.json - Not log every file, only certain files that are stored and extracted added
#9

Updated by Victor Julien over 1 year ago

  • Related to Feature #1950: allow configuration of file-store types added
#10

Updated by Victor Julien over 1 year ago

Dumping some notes about what this could look like.

The idea here is to add a new 'config' action with a 'config' keyword that would allow the rule writer to enable/disable certain features for a certain scope.

config tcp any any -> any any (config:<subsys>, <enable>, type <subtype>, scope <scope>; .. )

config tcp any any -> any any (config:logging, disable, type file, scope flow; .. )
config http any any -> any any (http.uri; content:"/index.html"; config:logging, disable, type file, scope flow; .. )
config dns any any -> any any (dns.query; content:"google.com"; endswith; config:logging, disable, type proto, scope tx; .. )

config
  logging:
    state: enable/disable
    type:
      proto (depends on alproto, so http, smb, etc)
      file
      alert
      drop
    scope:
      packet
      flow
      tx
      file
      src_ip
      dest_ip
      ip_pair
  bypass:
    state: enable/disable
    scope:
      flow
      src_ip
      dest_ip
      ip_pair
  inspect (pass):
    state: enable/disable
    type:
      packet
      payload
      applayer
      file
      stream-events (config ... (stream_is_lossy; config:inspect, disable, type stream-events, scope flow; ...))
    scope:
      packet
      flow
      tx
      file
      src_ip
      dest_ip
      ip_pair
#11

Updated by Victor Julien over 1 year ago

  • Subject changed from conditional logging to conditional logging: controlling what gets logged
#12

Updated by Victor Julien over 1 year ago

  • Target version changed from TBD to 6.0.0beta1
#13

Updated by Victor Julien over 1 year ago

  • Priority changed from Normal to High
#14

Updated by Victor Julien over 1 year ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
#15

Updated by Victor Julien 12 months ago

  • Target version changed from 6.0.0beta1 to 7.0rc1
#16

Updated by Victor Julien 7 months ago

  • Related to Feature #121: Alert on domain name look up, capture traffic for corresponding IP added

Also available in: Atom PDF