Feature #2628


Specify the flow direction in metadata sent by Suricata.

Added by Daniel Jaraud over 5 years ago. Updated about 5 years ago.

Target version:


I'm using Suricata to create parallel coordinates graphs with Vega from the dest/source ips and ports. Due to bandwidth issue, I can't use flow/netflow but can only rely on the http/dns/smtp/tls etc... data sent by Suricata.
Currently, the metadata sent from Suricata uses src_ip and dest_ip for the home network to protect as well as for the answer from the distant network.
For instance, in case of a DNS request, the first request from the client will set src_ip with the correct IP address of the client of the home network.
But, for the answer from the DNS server to the client, src_ip will then be set to the DNS server IP.
When drawing parallel coordinates graphs, this will lead to a mirror/vertical symmetry axis because src_ip (left axis for instance) and dest_ip (right axis) will show the same data.
Apart from using flow_id as a unique identifier and just draw the first occurence of it (=> I'll have only the initiating link), is there another possibility, such as adding a new field to the data (such as I : initialization, R : related to an existing flow_id)?

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #2644: Add direction of stream to eve-json eventsClosedActions
Actions #1

Updated by Andreas Herz about 5 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD
Actions #2

Updated by Daniel Jaraud about 5 years ago

This feature has already been written: . I have written the test for suricata-verify and published a MR, which is currently waiting for merging.

Actions #3

Updated by Andreas Herz about 5 years ago

  • Status changed from New to Assigned
  • Assignee changed from Community Ticket to Daniel Jaraud

Thanks for the contribution and the update here!

Actions #4

Updated by Victor Julien over 4 years ago

  • Related to Feature #2644: Add direction of stream to eve-json events added

Also available in: Atom PDF