eve: log more IKEv2 fields
At this moment Suricata detects IKEv2 traffic, but the traffic analysis is little bit complicated.
here is a small illustrated guide for IKEv2
I added my experimental IKEv2 suricata rules to this task too.
But, Moloch shows (IKEv2_Moloch_Screenshot_20190504_175220.png), in the Suricata section, only the Signatures which detect this traffic.
My proposal is to enhance the Suricata/Moloch plugins to show these parameters of the IKEv2 handshake (IKEv2-EventsList_Screenshot_20190504_175956.png)
ikev2.exchange_type (at this time only numerical string, maybe standard descriprion will be better, like the other parameters)
Updated by Andreas Herz over 3 years ago
- Status changed from New to Assigned
- Assignee changed from Community Ticket to Michal Vymazal
The necessary steps are explained in https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing and https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide feel free to ask if you have any specific questions. You can also look at our github page https://github.com/OISF/suricata and see how we work with PRs.
Updated by Michal Vymazal over 3 years ago
Suricata code location - Moloch, Suricata plugins
I will be glad to cooperate on this projects
But, I can't locate the right part of the code in the repository (means Moloch and Suricata plugins)
Can you give me a contact to a responsible person, who will help me to
find the right part of Suricata plugin and Moloch code?
Thank you very much
Updated by Michal Vymazal about 3 years ago
- File IKEv2_Moloch_Screenshot_20190504_175220-2.png IKEv2_Moloch_Screenshot_20190504_175220-2.png added
- File Screenshot_20191123_094316.png Screenshot_20191123_094316.png added
- File IKEv2-EventsList_Screenshot_20190504_175956.png IKEv2-EventsList_Screenshot_20190504_175956.png added
The code should be located in Moloch-Suricata plugins