Project

General

Profile

Actions

Bug #2057

closed

eve.json flow logs do not contain in_iface

Added by Rusty Wilson almost 8 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I am listing this as a bug rather than a feature, due to the importance of being able to source the interface from which traffic is captured.

I have a client with 2 monitoring interface and multiple vlans, many of which must traverse both mirrored (spanned) interfaces to communicate with internal servers, etc. The topology is anything but straight-forward, and the amount of duplicate traffic is nothing short of overwhelming.

I have attempted to discern the sources of traffic and relate it to one of the interfaces in use. However, this is proving to be almost impossible to do without the ability to differentiate between each interface using flow records.

in_iface is logged in event type: dns, tls, http, fileinfo, alert, and ssh, but not always, which is curious by itself.

I have attached samples of each as well as the yaml.

Suricata version 3.1.3.


Files

present_in_iface.json (1.66 KB) present_in_iface.json in_iface logged Rusty Wilson, 03/06/2017 02:57 PM
missing_in_iface.json (1.74 KB) missing_in_iface.json in_iface not logged Rusty Wilson, 03/06/2017 02:57 PM
suricata.yaml (15.9 KB) suricata.yaml suricata configuration Rusty Wilson, 03/06/2017 02:57 PM
in_iface_missing.json (255 Bytes) in_iface_missing.json marie g, 07/14/2017 07:01 AM
in_iface_ok.json (572 Bytes) in_iface_ok.json marie g, 07/14/2017 07:01 AM
tcpdump_session.txt (5.24 KB) tcpdump_session.txt marie g, 07/14/2017 07:01 AM

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #1324: vlan tag in eve.jsonClosedCommunity TicketActions
Actions

Also available in: Atom PDF