Feature #3316
openunix-socket: support dumping flow table
Description
Idea is to use the unix socket interface dump the flow table. This could be used to analyse the internal state of flows.
The conntrack tool from Linux/Netfilter could be an example.
VJ Updated by Victor Julien over 6 years ago
- Related to Task #3288: Suricon 2019 brainstorm added
VJ Updated by Victor Julien over 6 years ago
- Related to Feature #3295: unix-socket: support to receive flow bypass information added
VJ Updated by Victor Julien over 6 years ago
Suggestions about use cases and things like syntax and such are welcome.
VJ Updated by Victor Julien over 6 years ago
- Description updated (diff)
DB Updated by Danny Browning over 6 years ago
One thing as we were exploring saving flow state is that there is not currently a stable identifier for flows between suricata runs. If we plan to load the dumped flow table, flow hash_id will need to be stable (no seed), or support for community flow id will need to be added to flow as a way to marry dumped state and captured flows.
VJ Updated by Victor Julien over 5 years ago
- Related to Task #3301: Research: Failover support within the current IPS implementation added
JI Updated by Jason Ish 5 months ago
- Related to Task #8123: Suricon 2025 Brainstorm added
JF Updated by Juliana Fajardini Reichow 5 months ago
apparentlym there is alresy a unix socket command to dump a flow given its id
JF Updated by Juliana Fajardini Reichow 5 months ago
TCP reverse shells seem an interesting use case as a long session not terminating properly
JF Updated by Juliana Fajardini Reichow 5 months ago
Another solution could be a partial flow dump in eve.json (at flow start)
JF Updated by Juliana Fajardini Reichow 5 months ago
Not only at start/end of flow, but give flexibility to user...
VJ Updated by Victor Julien 5 months ago
- Subject changed from Unix socket: support dumping flow table to unix-socket: support dumping flow table