Actions
Feature #1005
open
VJ
VJ
conditional logging: controlling what gets logged
Feature #1005:
conditional logging: controlling what gets logged
Effort:
Difficulty:
Label:
Description
For http, files, tls, dns, etc.
Per log option: enabled, conditional, disabled
Per rule keyword: log:(all|tls|http|dns|file);
VJ Updated by Victor Julien over 12 years ago
- Target version set to TBD
AH Updated by Andreas Herz over 10 years ago
- Assignee set to OISF Dev
AH Updated by Andreas Herz almost 9 years ago
- Related to Feature #821: conditional logging: output steering added
AH Updated by Andreas Herz almost 9 years ago
- Related to Feature #821: conditional logging: output steering added
AH Updated by Andreas Herz almost 9 years ago
- Related to deleted (Feature #821: conditional logging: output steering)
VJ Updated by Victor Julien over 7 years ago
- Related to Feature #843: Custom http logging filter functionality added
VJ Updated by Victor Julien over 6 years ago
- Related to Feature #2661: output the http-body-data to eve.json added
VJ Updated by Victor Julien over 6 years ago
- Related to Feature #2055: Optionally logging on files.json - Not log every file, only certain files that are stored and extracted added
VJ Updated by Victor Julien over 6 years ago
- Related to Feature #1950: allow configuration of file-store types added
VJ Updated by Victor Julien over 6 years ago
Dumping some notes about what this could look like.
The idea here is to add a new 'config' action with a 'config' keyword that would allow the rule writer to enable/disable certain features for a certain scope.
config tcp any any -> any any (config:<subsys>, <enable>, type <subtype>, scope <scope>; .. )
config tcp any any -> any any (config:logging, disable, type file, scope flow; .. )
config http any any -> any any (http.uri; content:"/index.html"; config:logging, disable, type file, scope flow; .. )
config dns any any -> any any (dns.query; content:"google.com"; endswith; config:logging, disable, type proto, scope tx; .. )
config
logging:
state: enable/disable
type:
proto (depends on alproto, so http, smb, etc)
file
alert
drop
scope:
packet
flow
tx
file
src_ip
dest_ip
ip_pair
bypass:
state: enable/disable
scope:
flow
src_ip
dest_ip
ip_pair
inspect (pass):
state: enable/disable
type:
packet
payload
applayer
file
stream-events (config ... (stream_is_lossy; config:inspect, disable, type stream-events, scope flow; ...))
scope:
packet
flow
tx
file
src_ip
dest_ip
ip_pair
VJ Updated by Victor Julien over 6 years ago
- Subject changed from conditional logging to conditional logging: controlling what gets logged
VJ Updated by Victor Julien about 6 years ago
- Target version changed from TBD to 6.0.0beta1
VJ Updated by Victor Julien about 6 years ago
- Priority changed from Normal to High
VJ Updated by Victor Julien about 6 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
VJ Updated by Victor Julien almost 6 years ago
- Target version changed from 6.0.0beta1 to 7.0.0-beta1
VJ Updated by Victor Julien over 5 years ago
- Related to Feature #121: Alert on domain name look up, capture traffic for corresponding IP added
VJ Updated by Victor Julien over 3 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
VJ Updated by Victor Julien over 3 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
VJ Updated by Victor Julien about 1 year ago
- Target version changed from 8.0.0-beta1 to 9.0.0-beta1
Actions