Feature #2277

Output hierarchical network tree in events

Added by Eric Leblond 4 months ago. Updated 7 days ago.

Target version:
Start date:
Due date:
% Done:



This feature will allow user to defined a network tree structure with name. During event generation, a lookup will be made to add information about the hierarchy of networks the source and destination address belong too.


#1 Updated by Victor Julien 4 months ago

Can you add a format suggestion?

#2 Updated by Andreas Herz 4 months ago

  • Target version set to TBD

#3 Updated by Giuseppe Longo about 1 month ago

  "timestamp": "2018-01-04T15:44:16.018667+0100",
  "flow_id": 414428872802379,
  "in_iface": "wlp2s0",
  "event_type": "http",
  "src_ip": "",
  "src_port": 45200,
  "dest_ip": "",
  "dest_port": 80,
  "proto": "TCP",
  "net_info": {
    "src": [
      "Red team",
    "dest": [
  "tx_id": 0,
  "http": {
    "hostname": "",
    "url": "/",
    "http_user_agent": "curl/7.52.1",
    "http_content_type": "text/html",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "status": 200,
    "length": 17207

Network information is added in "net_info" field

#4 Updated by Victor Julien about 1 month ago

What will the config look like?

#5 Updated by Giuseppe Longo 22 days ago

The configuration consists in setting a json file that contains the information:

# Information about your networks can be defined in the file
# below using a JSON syntax and added when an event is generated.
#network-info: /etc/suricata/network.json

and network.json looks like:

[{"name": "Lecce", "addresses":[""], "children": [{"name":"Department I", "addresses":["", ""], "children":[{"name":"Dev Room", "addresses":[""], "children":[{"name":"DNS", "addresses":[""]}]}]}]}]

#6 Updated by Victor Julien 22 days ago

Where does this json file come from? Does it have some standardized format? It seems to me that using yaml would make more sense, as this is our main config format.

#7 Updated by Peter Manev 22 days ago

Yaml format is always beneficial but in a lot of network management tools and equipment(Juniper/Cisco for example) you can export network(s) config information in JSON format already - so it would beneficial to have that possibility as well I think.

#8 Updated by Victor Julien 11 days ago

So if there are existing tools that export to JSON, there must be a standard of some sort? If there is no std is there at least compatibility to some product?

#9 Updated by Jason Ish 11 days ago

I have to agree. We should use YAML unless there is a specification out there that defines a JSON layout for specifying this stuff. Even if that spec is "cisco".

#10 Updated by Peter Manev 11 days ago

I dont think(know of) there is a unified cross vendor (maybe per vendor release, not sure) standard for exporting config data to JSON (or any other format).

#11 Updated by Giuseppe Longo 7 days ago

We would use both JSON and YAML formats. Do you agree with that?

Also available in: Atom PDF