Added by Victor Julien about 6 years ago. Updated 14 days ago.
Description
Idea is to use the unix socket interface dump the flow table. This could be used to analyse the internal state of flows.
The conntrack tool from Linux/Netfilter could be an example.
Suggestions about use cases and things like syntax and such are welcome.
One thing as we were exploring saving flow state is that there is not currently a stable identifier for flows between suricata runs. If we plan to load the dumped flow table, flow hash_id will need to be stable (no seed), or support for community flow id will need to be added to flow as a way to marry dumped state and captured flows.
apparentlym there is alresy a unix socket command to dump a flow given its id
TCP reverse shells seem an interesting use case as a long session not terminating properly
Another solution could be a partial flow dump in eve.json (at flow start)
Not only at start/end of flow, but give flexibility to user...