Feature #1005: conditional logging: controlling what gets logged - Suricata - Open Information Security Foundation

The idea here is to add a new 'config' action with a 'config' keyword that would allow the rule writer to enable/disable certain features for a certain scope.

config tcp any any -> any any (config:<subsys>, <enable>, type <subtype>, scope <scope>; .. )

config tcp any any -> any any (config:logging, disable, type file, scope flow; .. )
config http any any -> any any (http.uri; content:"/index.html"; config:logging, disable, type file, scope flow; .. )
config dns any any -> any any (dns.query; content:"google.com"; endswith; config:logging, disable, type proto, scope tx; .. )

config
  logging:
    state: enable/disable
    type:
      proto (depends on alproto, so http, smb, etc)
      file
      alert
      drop
    scope:
      packet
      flow
      tx
      file
      src_ip
      dest_ip
      ip_pair
  bypass:
    state: enable/disable
    scope:
      flow
      src_ip
      dest_ip
      ip_pair
  inspect (pass):
    state: enable/disable
    type:
      packet
      payload
      applayer
      file
      stream-events (config ... (stream_is_lossy; config:inspect, disable, type stream-events, scope flow; ...))
    scope:
      packet
      flow
      tx
      file
      src_ip
      dest_ip
      ip_pair

#11

Updated by Victor Julien over 5 years ago

Subject changed from conditional logging to conditional logging: controlling what gets logged

#12

Updated by Victor Julien over 5 years ago

Target version changed from TBD to 6.0.0beta1

#13

Updated by Victor Julien over 5 years ago

Priority changed from Normal to High

#14

Updated by Victor Julien about 5 years ago

Status changed from New to Assigned
Assignee changed from OISF Dev to Victor Julien

#15

Updated by Victor Julien almost 5 years ago

Target version changed from 6.0.0beta1 to 7.0.0-beta1

#16

Updated by Victor Julien over 4 years ago

Related to Feature #121: Alert on domain name look up, capture traffic for corresponding IP added

#17

Updated by Victor Julien over 2 years ago

Target version changed from 7.0.0-beta1 to 7.0.0-rc1

#18

Updated by Victor Julien over 2 years ago

Target version changed from 7.0.0-rc1 to 8.0.0-beta1

#19

Updated by Victor Julien 2 months ago

Target version changed from 8.0.0-beta1 to 9.0.0-beta1

Related to Suricata - Feature #821: conditional logging: output steering	New	Community Ticket	Actions
Related to Suricata - Feature #843: Custom http logging filter functionality	Closed	Community Ticket	Actions
Related to Suricata - Feature #2661: output the http-body-data to eve.json	New	Community Ticket	Actions
Related to Suricata - Feature #2055: Optionally logging on files.json - Not log every file, only certain files that are stored and extracted	New	OISF Dev	Actions
Related to Suricata - Feature #1950: allow configuration of file-store types	New	Community Ticket	Actions
Related to Suricata - Feature #121: Alert on domain name look up, capture traffic for corresponding IP	New	Community Ticket	Actions

Project

General

Custom queries

Profile

Suricata

Feature #1005

conditional logging: controlling what gets logged

Updated by Victor Julien over 11 years ago

Updated by Andreas Herz over 9 years ago

Updated by Andreas Herz about 8 years ago

Updated by Andreas Herz about 8 years ago

Updated by Andreas Herz about 8 years ago

Updated by Victor Julien almost 7 years ago

Updated by Victor Julien over 5 years ago

Updated by Victor Julien over 5 years ago

Updated by Victor Julien over 5 years ago

Updated by Victor Julien over 5 years ago

Updated by Victor Julien over 5 years ago

Updated by Victor Julien over 5 years ago

Updated by Victor Julien over 5 years ago

Updated by Victor Julien about 5 years ago

Updated by Victor Julien almost 5 years ago

Updated by Victor Julien over 4 years ago

Updated by Victor Julien over 2 years ago

Updated by Victor Julien over 2 years ago

Updated by Victor Julien 2 months ago