Project

General

Profile

Actions
Copy link

Feature #6215

open

Exception policy log output

Added by Jamie Lavigne 10 months ago. Updated 7 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Juliana Fajardini Reichow
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

A compliment to exception policy stats counters [1], we have some customers that would find it valuable to support logging some information on flows that caused exception policies to be triggered. This is most useful for the midstream policy, where users are interested in identifying the flows that matched the policy so that they can troubleshoot common causes such as asymmetric routing in their network. It may be useful for other exception policies as well, but we don't have as clear of an immediate use case for those.

This might make sense as either a flow log output or an alert log output.

[1] https://redmine.openinfosecfoundation.org/issues/5816

Related issues 2 (2 open0 closed)

Related to Suricata - Feature #6210: outputs: add verdict event typeNewJuliana Fajardini ReichowActions
Related to Suricata - Feature #5816: Exception policy stats countersResolvedJuliana Fajardini ReichowActions
Actions
Copy link
 #1

Updated by Victor Julien 8 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Juliana Fajardini Reichow
  • Target version changed from TBD to 8.0.0-beta1
Actions
Copy link
 #2

Updated by Juliana Fajardini Reichow 8 months ago

  • Related to Feature #6210: outputs: add verdict event type added
Actions
Copy link
 #3

Updated by Juliana Fajardini Reichow 8 months ago

  • Tracker changed from Bug to Feature

Changing this to "Feature", based on discussions.

Actions
Copy link
 #4

Updated by Victor Julien 7 months ago

The new (in 7) "stream" eve record type might be able to already help here. It logs the flags that include midstream:

{
  "timestamp": "2016-07-14T00:42:07.573174+0200",
  "flow_id": 1983485797392474,
  "pcap_cnt": 9,
  "event_type": "stream_tcp",
  "src_ip": "10.16.1.11",
  "src_port": 54186,
  "dest_ip": "82.165.177.154",
  "dest_port": 80,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "direction": "to_server",
  "stream_tcp": {
    "packet": {
      "len": 40,
      "tos": 0,
      "ttl": 64,
      "ipid": 36763,
      "tcpseq": 2059970576,
      "tcpack": 2548486955,
      "tcpwin": 237,
      "syn": false,
      "ack": true,
      "psh": false,
      "rst": false,
      "urg": false,
      "fin": false,
      "tcpres": 0,
      "tcpurgp": 0,
      "flags": [
        "state_update" 
      ]
    },
    "session": {
      "state": "closed",
      "pstate": "last_ack",
      "flags": {
        "flags": [
          "midstream",
          "midstream_synack",
          "3whs_confirmed" 
        ]
      },
      "client": {
        "isn": 2059970493,
        "next_seq": 2059970576,
        "last_ack": 2059970576,
        "next_win": 2060012943,
        "base_seq": 2059970494,
        "segs_right_edge": 2059970575,
        "window": 42368,
        "wscale": 7,
        "flags": [
          "appproto_detection_completed" 
        ]
      },
      "server": {
        "isn": 2548486694,
        "next_seq": 2548486955,
        "last_ack": 2548486955,
        "next_win": 2552369962,
        "base_seq": 2548486695,
        "segs_right_edge": 2548486954,
        "window": 3883008,
        "wscale": 14,
        "flags": [
          "appproto_detection_completed" 
        ]
      }
    }
  }
}

Actions
Copy link
 #5

Updated by Juliana Fajardini Reichow 11 days ago

  • Related to Feature #5816: Exception policy stats counters added
Actions
Copy link

Also available in: Atom PDF