Feature #6215
openflow/output: log triggered exception policy
Description
A compliment to exception policy stats counters [1], we have some customers that would find it valuable to support logging some information on flows that caused exception policies to be triggered. This is most useful for the midstream policy, where users are interested in identifying the flows that matched the policy so that they can troubleshoot common causes such as asymmetric routing in their network. It may be useful for other exception policies as well, but we don't have as clear of an immediate use case for those.
This might make sense as either a flow log output or an alert log output.
Updated by Victor Julien over 1 year ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
- Target version changed from TBD to 8.0.0-beta1
Updated by Juliana Fajardini Reichow over 1 year ago
- Related to Feature #6210: outputs: add verdict event type added
Updated by Juliana Fajardini Reichow over 1 year ago
- Tracker changed from Bug to Feature
Changing this to "Feature", based on discussions.
Updated by Victor Julien over 1 year ago
The new (in 7) "stream" eve record type might be able to already help here. It logs the flags that include midstream:
{
"timestamp": "2016-07-14T00:42:07.573174+0200",
"flow_id": 1983485797392474,
"pcap_cnt": 9,
"event_type": "stream_tcp",
"src_ip": "10.16.1.11",
"src_port": 54186,
"dest_ip": "82.165.177.154",
"dest_port": 80,
"proto": "TCP",
"pkt_src": "wire/pcap",
"direction": "to_server",
"stream_tcp": {
"packet": {
"len": 40,
"tos": 0,
"ttl": 64,
"ipid": 36763,
"tcpseq": 2059970576,
"tcpack": 2548486955,
"tcpwin": 237,
"syn": false,
"ack": true,
"psh": false,
"rst": false,
"urg": false,
"fin": false,
"tcpres": 0,
"tcpurgp": 0,
"flags": [
"state_update"
]
},
"session": {
"state": "closed",
"pstate": "last_ack",
"flags": {
"flags": [
"midstream",
"midstream_synack",
"3whs_confirmed"
]
},
"client": {
"isn": 2059970493,
"next_seq": 2059970576,
"last_ack": 2059970576,
"next_win": 2060012943,
"base_seq": 2059970494,
"segs_right_edge": 2059970575,
"window": 42368,
"wscale": 7,
"flags": [
"appproto_detection_completed"
]
},
"server": {
"isn": 2548486694,
"next_seq": 2548486955,
"last_ack": 2548486955,
"next_win": 2552369962,
"base_seq": 2548486695,
"segs_right_edge": 2548486954,
"window": 3883008,
"wscale": 14,
"flags": [
"appproto_detection_completed"
]
}
}
}
}
Updated by Juliana Fajardini Reichow about 1 year ago
- Related to Feature #5816: stats: exception policy counters added
Updated by Juliana Fajardini Reichow about 2 months ago
- Subject changed from Exception policy log output to flow/output: log triggered exception policy
- Status changed from Assigned to In Progress
Updated by Juliana Fajardini Reichow about 2 months ago
- Status changed from In Progress to In Review
PR for review: https://github.com/OISF/suricata/pull/12683
Updated by Juliana Fajardini Reichow about 2 months ago
- Related to Optimization #7185: stats: exceptions: use search-friendly log output added
Updated by Juliana Fajardini Reichow 29 days ago
- Status changed from In Review to Resolved
Merged with https://github.com/OISF/suricata/pull/12805
Updated by Juliana Fajardini Reichow 28 days ago
- Label Needs backport to 7.0 added