Feature #4159
openLog flow age as fractional value
Description
At the moment, flow.age in EVE JSON is an integer value in seconds. This is likely to be too coarse a resolution to properly describe short-lived flows. It would be better to have more precise, fractional values in this field, down to sub-second resolution. Looking at the flow.start and flow.end values, the necessary timestamps should be available.
Updated by Victor Julien over 3 years ago
Would this change the type of the field in json?
Updated by Sascha Steinbiss over 3 years ago
Sascha Steinbiss wrote in #note-2:
Indeed it would!
Just took another look at the JSON RFC, and it actually, strictly speaking, does not change the type, since JSON only defines numbers, which may or may not have a fractional part. See https://tools.ietf.org/html/rfc8259#section-6 -- this means that we should be fine with this change as long as EVE-consuming parties do not make assumptions about the number format in that field that are more strict than the JSON standard.
I'd see this as low risk. What do others think?
Updated by Jason Ish over 3 years ago
Yes, in theory this should be fine. Every JSON parser I've used parses numbers in JSON as floats. However, just looking at the Filebeat Suricata module, it post-processes flow.age to a long. This might not be a problem, or it might. I'll try to test at some point.
Updated by Sascha Steinbiss over 3 years ago
Jason Ish wrote in #note-4:
Yes, in theory this should be fine. Every JSON parser I've used parses numbers in JSON as floats. However, just looking at the Filebeat Suricata module, it post-processes flow.age to a long. This might not be a problem, or it might. I'll try to test at some point.
That would be great, thanks!