Project

General

Profile

Actions

Bug #5769

closed

Incomplete values for .stats."app_layer".flow.proto

Added by Philippe Antoine almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

With ftp or whatever protocol
The two commands do not give the same result

jq 'select(.event_type=="flow" and .app_proto=="ftp") | .app_proto'  log/eve.json | wc -l
jq 'select(.event_type=="stats") | .stats."app_layer".flow.ftp' log/eve.json 

Related issues 2 (0 open2 closed)

Related to Suricata - Bug #6633: stats: flows with a detection-only alproto not accounted in this protocolClosedPhilippe AntoineActions
Blocks Suricata - Feature #1125: smtp: improve protocol detectionClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF