Bug #2217
closedevent_type flow is missing icmpv4 (while it has icmpv6) info wherever available
Description
Originally reported on SELKS user list by Brandon.
This would exist for IPv6-ICMP but not for IPv4-ICMP
{ "timestamp": "2017-09-26T00:43:30.001064+0200", "flow_id": 1140273124741010, "event_type": "flow", "src_ip": "2001:xxxxxxx", "dest_ip": "2a02:0xxxxxx", "proto": "IPv6-ICMP", "icmp_type": 1, "icmp_code": 0, "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 138, "bytes_toclient": 0, "start": "2017-09-26T00:43:24.331666+0200", "end": "2017-09-26T00:43:24.331666+0200", "age": 0, "state": "new", "reason": "timeout", "alerted": false } }
Updated by Eric Leblond about 7 years ago
This behavior has been introduced by commit:548a3b2c93aed79e39a34ee9dd4c68f43a27f363. Idea was not to create flows for icmp error messages.
Updated by Victor Julien about 7 years ago
I can imagine it would make sense to create a flow for echo/echoreply. But other than echo/echoreply what icmp should lead to a flow?
Updated by brandon okuszka about 7 years ago
Good morning,
I initially reported this issue in the SELKS Google group. In this case, I'm attempting to use the suricata logs and elk stack to analyze icmp v4/v6 traffic (among other things). Ideally, I'd like to be able to see all icmp types. Still, flows for echo request and reply alone would be beneficial. As of right now the only workaround is to generate simple alerts based off icmp type. I'd like to avoid that if possible. Would there be a way to turn off / on the creation of icmp flows?
Updated by Andreas Herz about 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien almost 7 years ago
- Blocked by Feature #2292: flow: add icmpv4 and improve icmpv6 flow handling added
Updated by Victor Julien almost 7 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien over 6 years ago
- Status changed from Assigned to Closed
- Target version changed from TBD to 4.1rc1