Feature #3316
openunix-socket: support dumping flow table
Added by Victor Julien over 6 years ago. Updated 6 months ago.
Description
Idea is to use the unix socket interface dump the flow table. This could be used to analyse the internal state of flows.
The conntrack tool from Linux/Netfilter could be an example.
VJ Updated by Victor Julien over 6 years ago Actions #1
- Related to Task #3288: Suricon 2019 brainstorm added
VJ Updated by Victor Julien over 6 years ago Actions #2
- Related to Feature #3295: unix-socket: support to receive flow bypass information added
VJ Updated by Victor Julien over 6 years ago Actions #3
Suggestions about use cases and things like syntax and such are welcome.
VJ Updated by Victor Julien over 6 years ago Actions #4
- Description updated (diff)
DB Updated by Danny Browning over 6 years ago Actions #5
One thing as we were exploring saving flow state is that there is not currently a stable identifier for flows between suricata runs. If we plan to load the dumped flow table, flow hash_id will need to be stable (no seed), or support for community flow id will need to be added to flow as a way to marry dumped state and captured flows.
VJ Updated by Victor Julien over 5 years ago Actions #6
- Related to Task #3301: Research: Failover support within the current IPS implementation added
JI Updated by Jason Ish 6 months ago Actions #7
- Related to Task #8123: Suricon 2025 Brainstorm added
JF Updated by Juliana Fajardini Reichow 6 months ago Actions #8
apparentlym there is alresy a unix socket command to dump a flow given its id
JF Updated by Juliana Fajardini Reichow 6 months ago Actions #9
TCP reverse shells seem an interesting use case as a long session not terminating properly
JF Updated by Juliana Fajardini Reichow 6 months ago Actions #10
Another solution could be a partial flow dump in eve.json (at flow start)
JF Updated by Juliana Fajardini Reichow 6 months ago Actions #11
Not only at start/end of flow, but give flexibility to user...
VJ Updated by Victor Julien 6 months ago Actions #12
- Subject changed from Unix socket: support dumping flow table to unix-socket: support dumping flow table
VJ Updated by Victor Julien 17 days ago Actions #13
- Related to Feature #2301: netflow: dump records at interval added