Feature #5647
closedTask #5645: tracking: elephant flow detection
rules: mark flow as elephant flow
Updated by Shivani Bhardwaj 10 months ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Shivani Bhardwaj
- Target version changed from TBD to 8.0.0-beta1
Updated by Shivani Bhardwaj 9 months ago ยท Edited
Idea here is that based on #5536, #3271, #5646 you can set a flag in the flow that is then added to eve.flow logs.
Q: Why can't we just set a flowbit based on flow bytes count and flow age?
I'm thinking:
1. have a setting in suricata.yaml that indicates the number of bytes and age of the flow after which a flow should be considered elephant flow.
2. allow overriding that setting for specific flows with a rule flag to the incorrect since this does not take the age of the flow into account.flow.bytes.. keyword that marks a flow elephant flow. Syntax could be something like flow.bytes_toserver:>=100000000,elephant
3. log elephant flow counter (unique elephant flows) in eve
Thoughts?
Note: What gets done with such a flow is not in scope of this ticket.
Updated by Shivani Bhardwaj 9 months ago
- Status changed from Assigned to In Review
Initial idea of marking (NOT via rules) done here: https://github.com/OISF/suricata/pull/11645
Still thinking what the rules would look like.
Updated by Shivani Bhardwaj about 1 month ago
- Status changed from In Review to Closed
Closed by: https://github.com/OISF/suricata/pull/12924