Feature #3316
openunix-socket: support dumping flow table
Description
Idea is to use the unix socket interface dump the flow table. This could be used to analyse the internal state of flows.
The conntrack tool from Linux/Netfilter could be an example.
Updated by Victor Julien about 6 years ago
- Related to Task #3288: Suricon 2019 brainstorm added
Updated by Victor Julien about 6 years ago
- Related to Feature #3295: unix-socket: support to receive flow bypass information added
Updated by Victor Julien about 6 years ago
Suggestions about use cases and things like syntax and such are welcome.
Updated by Danny Browning about 6 years ago
One thing as we were exploring saving flow state is that there is not currently a stable identifier for flows between suricata runs. If we plan to load the dumped flow table, flow hash_id will need to be stable (no seed), or support for community flow id will need to be added to flow as a way to marry dumped state and captured flows.
Updated by Victor Julien about 5 years ago
- Related to Task #3301: Research: Failover support within the current IPS implementation added
Updated by Jason Ish 18 days ago
- Related to Task #8123: Suricon 2025 Brainstorm added
Updated by Juliana Fajardini Reichow 18 days ago
apparentlym there is alresy a unix socket command to dump a flow given its id
Updated by Juliana Fajardini Reichow 18 days ago
TCP reverse shells seem an interesting use case as a long session not terminating properly
Updated by Juliana Fajardini Reichow 18 days ago
Another solution could be a partial flow dump in eve.json (at flow start)
Updated by Juliana Fajardini Reichow 18 days ago
Not only at start/end of flow, but give flexibility to user...
Updated by Victor Julien 14 days ago
- Subject changed from Unix socket: support dumping flow table to unix-socket: support dumping flow table