Project

General

Profile

Actions
Copy link

Feature #5646

open

Task #5645: tracking: elephant flow detection

rules: allow matching on flow pkts and bytes

Added by Victor Julien over 1 year ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Probably need some logic to express direction, e.g.

flow.pkts:toserver,>,10000;
flow.pkts:either,=,10000;
flow.bytes:both,>,1G;

Exact syntax TBD.

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #6164: detect: new keyword flow.pkts_toclient to server and bytes as wellClosedPhilippe AntoineActions
Actions
Copy link
 #1

Updated by Philippe Antoine 6 months ago

  • Related to Feature #6164: detect: new keyword flow.pkts_toclient to server and bytes as well added
Actions
Copy link
 #2

Updated by Philippe Antoine 5 months ago

@Victor Julien is there more to do here after https://redmine.openinfosecfoundation.org/issues/6164 ?
Maybe the sum of both directions ?

Actions
Copy link

Also available in: Atom PDF