Project

General

Profile

Actions

Feature #3295

open

Unix socket: support to receive flow shunting information

Added by Andreas Herz almost 2 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

The idea here is that in some cases it might be possible to pass the shunting info to another part of the network where the decision could be made to not send packets to Suricata for that flow. This would be very efficient from Suricata's point of view.

The request at suricon 2019 was a way to push these events to unix socket somehow.

Maybe the easiest way would be to create a new output for it, than could then log to file, redis, unix socket, etc. Perhaps even a eve event_type? Eve is multi-instance so it would be possible to have an dedicated eve to just push this new record type to unix socket, while having a separate eve for normal operations.


Related issues

Related to Task #3288: Suricon 2019 brainstormNewVictor JulienActions
Related to Feature #3316: Unix socket: support dumping flow tableFeedbackCommunity TicketActions
Actions #1

Updated by Victor Julien almost 2 years ago

  • Parent task deleted (#3288)
Actions #2

Updated by Victor Julien almost 2 years ago

  • Related to Task #3288: Suricon 2019 brainstorm added
Actions #3

Updated by Victor Julien almost 2 years ago

  • Related to Feature #3316: Unix socket: support dumping flow table added
Actions #4

Updated by Victor Julien almost 2 years ago

  • Subject changed from Unix socket support to receive flow shunting information to Unix socket: support to receive flow shunting information
  • Description updated (diff)
Actions

Also available in: Atom PDF