Project

General

Profile

Actions

Feature #5647

open

Task #5645: tracking: elephant flow detection

rules: mark flow as elephant flow

Added by Victor Julien about 2 years ago. Updated 4 months ago.

Status:
In Review
Priority:
High
Target version:
Effort:
Difficulty:
Label:

Description

Idea here is that based on #5536, #3271, #5646 you can set a flag in the flow that is then added to eve.flow logs.

Actions #1

Updated by Shivani Bhardwaj 5 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Shivani Bhardwaj
  • Target version changed from TBD to 8.0.0-beta1
Actions #2

Updated by Victor Julien 5 months ago

  • Priority changed from Normal to High
Actions #3

Updated by Shivani Bhardwaj 4 months ago ยท Edited

Idea here is that based on #5536, #3271, #5646 you can set a flag in the flow that is then added to eve.flow logs.

Q: Why can't we just set a flowbit based on flow bytes count and flow age?

I'm thinking:
1. have a setting in suricata.yaml that indicates the number of bytes and age of the flow after which a flow should be considered elephant flow.
2. allow overriding that setting for specific flows with a rule flag to the flow.bytes.. keyword that marks a flow elephant flow. Syntax could be something like flow.bytes_toserver:>=100000000,elephant incorrect since this does not take the age of the flow into account.
3. log elephant flow counter (unique elephant flows) in eve

Thoughts?

Note: What gets done with such a flow is not in scope of this ticket.

Actions #4

Updated by Shivani Bhardwaj 4 months ago

  • Status changed from Assigned to In Review

Initial idea of marking (NOT via rules) done here: https://github.com/OISF/suricata/pull/11645
Still thinking what the rules would look like.

Actions

Also available in: Atom PDF