Project

General

Profile

Actions
Copy link

Feature #5646

open

Task #5645: tracking: elephant flow detection

rules: allow matching on flow pkts and bytes

Added by Victor Julien over 1 year ago. Updated 12 days ago.

Status:
Assigned
Priority:
High
Assignee:
Shivani Bhardwaj
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

Probably need some logic to express direction, e.g.

flow.pkts:toserver,>,10000;
flow.pkts:either,=,10000;
flow.bytes:both,>,1G;

Exact syntax TBD.

Related issues 2 (0 open2 closed)

Related to Suricata - Feature #6164: detect: new keyword flow.pkts_toclient to server and bytes as wellClosedPhilippe AntoineActions
Related to Suricata - Feature #7097: Additions to flow detection - sizeClosedOISF DevActions
Actions
Copy link
 #1

Updated by Philippe Antoine 9 months ago

  • Related to Feature #6164: detect: new keyword flow.pkts_toclient to server and bytes as well added
Actions
Copy link
 #2

Updated by Philippe Antoine 8 months ago

@Victor Julien is there more to do here after https://redmine.openinfosecfoundation.org/issues/6164 ?
Maybe the sum of both directions ?

Actions
Copy link
 #3

Updated by Victor Julien about 1 month ago

Not sure if we need the "both" support. Would that be useful? And I guess an "either" option would make sense as well?

Actions
Copy link
 #4

Updated by Peter Manev about 1 month ago

"either" is good in my opinion.

Actions
Copy link
 #5

Updated by Philippe Antoine about 1 month ago

  • Related to Feature #7097: Additions to flow detection - size added
Actions
Copy link
 #6

Updated by Shivani Bhardwaj 12 days ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Shivani Bhardwaj
  • Target version changed from TBD to 8.0.0-beta1
Actions
Copy link
 #7

Updated by Victor Julien 12 days ago

  • Priority changed from Normal to High
Actions
Copy link
 #8

Updated by Shivani Bhardwaj 12 days ago

Also need: elephant flow counter

Actions
Copy link

Also available in: Atom PDF