Feature #4406: unix socket: Get flow information by flow_id - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #4406

closed

unix socket: Get flow information by flow_id

Added by Eric Leblond over 3 years ago. Updated about 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Eric Leblond

Target version:

7.0.0-beta1

Effort:

low

Difficulty:

medium

Label:

Description

When a flow is long duration and is not yet dead, we can know it exists (via application layer logging) but we can't know anything about the volume of data exchanged. This is not helping to characterize the nature of the flow. For example, we can not differentiate a scp session and a ssh session (same example work on TLS tunnel).

A way to get information is to be able to query the unix socket to get the volumetry information from the flow.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #4406

unix socket: Get flow information by flow_id

Updated by Victor Julien over 3 years ago

Updated by Victor Julien over 2 years ago

Updated by Victor Julien about 2 years ago