Feature #6215
closedflow/output: log triggered exception policy
Description
A compliment to exception policy stats counters [1], we have some customers that would find it valuable to support logging some information on flows that caused exception policies to be triggered. This is most useful for the midstream policy, where users are interested in identifying the flows that matched the policy so that they can troubleshoot common causes such as asymmetric routing in their network. It may be useful for other exception policies as well, but we don't have as clear of an immediate use case for those.
This might make sense as either a flow log output or an alert log output.
VJ Updated by Victor Julien over 2 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
- Target version changed from TBD to 8.0.0-beta1
JF Updated by Juliana Fajardini Reichow over 2 years ago
- Related to Feature #6210: outputs: add verdict event type added
JF Updated by Juliana Fajardini Reichow over 2 years ago
- Tracker changed from Bug to Feature
Changing this to "Feature", based on discussions.
VJ Updated by Victor Julien over 2 years ago
The new (in 7) "stream" eve record type might be able to already help here. It logs the flags that include midstream:
{
"timestamp": "2016-07-14T00:42:07.573174+0200",
"flow_id": 1983485797392474,
"pcap_cnt": 9,
"event_type": "stream_tcp",
"src_ip": "10.16.1.11",
"src_port": 54186,
"dest_ip": "82.165.177.154",
"dest_port": 80,
"proto": "TCP",
"pkt_src": "wire/pcap",
"direction": "to_server",
"stream_tcp": {
"packet": {
"len": 40,
"tos": 0,
"ttl": 64,
"ipid": 36763,
"tcpseq": 2059970576,
"tcpack": 2548486955,
"tcpwin": 237,
"syn": false,
"ack": true,
"psh": false,
"rst": false,
"urg": false,
"fin": false,
"tcpres": 0,
"tcpurgp": 0,
"flags": [
"state_update"
]
},
"session": {
"state": "closed",
"pstate": "last_ack",
"flags": {
"flags": [
"midstream",
"midstream_synack",
"3whs_confirmed"
]
},
"client": {
"isn": 2059970493,
"next_seq": 2059970576,
"last_ack": 2059970576,
"next_win": 2060012943,
"base_seq": 2059970494,
"segs_right_edge": 2059970575,
"window": 42368,
"wscale": 7,
"flags": [
"appproto_detection_completed"
]
},
"server": {
"isn": 2548486694,
"next_seq": 2548486955,
"last_ack": 2548486955,
"next_win": 2552369962,
"base_seq": 2548486695,
"segs_right_edge": 2548486954,
"window": 3883008,
"wscale": 14,
"flags": [
"appproto_detection_completed"
]
}
}
}
}
JF Updated by Juliana Fajardini Reichow almost 2 years ago
- Related to Feature #5816: stats: exception policy counters added
VJ Updated by Victor Julien about 1 year ago
- Priority changed from Normal to High
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Subject changed from Exception policy log output to flow/output: log triggered exception policy
- Status changed from Assigned to In Progress
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Status changed from In Progress to In Review
PR for review: https://github.com/OISF/suricata/pull/12683
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Related to Optimization #7185: stats: exceptions: use search-friendly log output added
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Status changed from In Review to Resolved
Merged with https://github.com/OISF/suricata/pull/12805
JF Updated by Juliana Fajardini Reichow about 1 year ago
- Label Needs backport to 7.0 added
OT Updated by OISF Ticketbot about 1 year ago
- Subtask #7623 added
OT Updated by OISF Ticketbot about 1 year ago
- Label deleted (
Needs backport to 7.0)
VJ Updated by Victor Julien 8 months ago
- Subtask deleted (
#7623)
VJ Updated by Victor Julien 8 months ago
- Related to Feature #7623: flow/output: log triggered exception policy (7.0.x backport) added
VJ Updated by Victor Julien 8 months ago
- Status changed from Resolved to Closed