Project

General

Profile

Actions
Copy link

Feature #5646

open

Task #5645: tracking: elephant flow detection

rules: allow matching on flow pkts and bytes

Added by Victor Julien over 1 year ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Probably need some logic to express direction, e.g.

flow.pkts:toserver,>,10000;
flow.pkts:either,=,10000;
flow.bytes:both,>,1G;

Exact syntax TBD.

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #6164: detect: new keyword flow.pkts_toclient to server and bytes as wellClosedPhilippe AntoineActions
Actions
Copy link

Also available in: Atom PDF