Project

General

Profile

Actions
Copy link

Bug #2217

closed
PM VJ

event_type flow is missing icmpv4 (while it has icmpv6) info wherever available

Bug #2217: event_type flow is missing icmpv4 (while it has icmpv6) info wherever available

Added by Peter Manev over 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
4.1rc1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Originally reported on SELKS user list by Brandon.

This would exist for IPv6-ICMP but not for IPv4-ICMP


{
  "timestamp": "2017-09-26T00:43:30.001064+0200",
  "flow_id": 1140273124741010,
  "event_type": "flow",
  "src_ip": "2001:xxxxxxx",
  "dest_ip": "2a02:0xxxxxx",
  "proto": "IPv6-ICMP",
  "icmp_type": 1,
  "icmp_code": 0,
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 138,
    "bytes_toclient": 0,
    "start": "2017-09-26T00:43:24.331666+0200",
    "end": "2017-09-26T00:43:24.331666+0200",
    "age": 0,
    "state": "new",
    "reason": "timeout",
    "alerted": false
  }
}

Related issues 1 (0 open1 closed)

Blocked by Suricata - Feature #2292: flow: add icmpv4 and improve icmpv6 flow handlingClosedVictor JulienActions

EL Updated by Eric Leblond over 8 years ago Actions
Copy link
 #1

This behavior has been introduced by commit:548a3b2c93aed79e39a34ee9dd4c68f43a27f363. Idea was not to create flows for icmp error messages.

VJ Updated by Victor Julien over 8 years ago Actions
Copy link
 #2

I can imagine it would make sense to create a flow for echo/echoreply. But other than echo/echoreply what icmp should lead to a flow?

BO Updated by brandon okuszka over 8 years ago Actions
Copy link
 #3

Good morning,

I initially reported this issue in the SELKS Google group. In this case, I'm attempting to use the suricata logs and elk stack to analyze icmp v4/v6 traffic (among other things). Ideally, I'd like to be able to see all icmp types. Still, flows for echo request and reply alone would be beneficial. As of right now the only workaround is to generate simple alerts based off icmp type. I'd like to avoid that if possible. Would there be a way to turn off / on the creation of icmp flows?

AH Updated by Andreas Herz over 8 years ago Actions
Copy link
 #4

  • Assignee set to OISF Dev
  • Target version set to TBD

VJ Updated by Victor Julien over 8 years ago Actions
Copy link
 #5

  • Blocked by Feature #2292: flow: add icmpv4 and improve icmpv6 flow handling added

VJ Updated by Victor Julien over 8 years ago Actions
Copy link
 #6

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien

VJ Updated by Victor Julien almost 8 years ago Actions
Copy link
 #7

  • Status changed from Assigned to Closed
  • Target version changed from TBD to 4.1rc1
Actions
Copy link

Also available in: PDF Atom