Project

General

Profile

Actions

Feature #3295

open

Unix socket: support to receive flow shunting information

Added by Andreas Herz about 5 years ago. Updated about 5 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

The idea here is that in some cases it might be possible to pass the shunting info to another part of the network where the decision could be made to not send packets to Suricata for that flow. This would be very efficient from Suricata's point of view.

The request at suricon 2019 was a way to push these events to unix socket somehow.

Maybe the easiest way would be to create a new output for it, than could then log to file, redis, unix socket, etc. Perhaps even a eve event_type? Eve is multi-instance so it would be possible to have an dedicated eve to just push this new record type to unix socket, while having a separate eve for normal operations.


Related issues 2 (2 open0 closed)

Related to Suricata - Task #3288: Suricon 2019 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #3316: Unix socket: support dumping flow tableFeedbackCommunity TicketActions
Actions

Also available in: Atom PDF