Project

General

Profile

Actions

Feature #6215

open

Exception policy log output

Added by Jamie Lavigne over 1 year ago. Updated over 1 year ago.

Status:
Assigned
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

A compliment to exception policy stats counters [1], we have some customers that would find it valuable to support logging some information on flows that caused exception policies to be triggered. This is most useful for the midstream policy, where users are interested in identifying the flows that matched the policy so that they can troubleshoot common causes such as asymmetric routing in their network. It may be useful for other exception policies as well, but we don't have as clear of an immediate use case for those.

This might make sense as either a flow log output or an alert log output.

[1] https://redmine.openinfosecfoundation.org/issues/5816


Related issues 2 (2 open0 closed)

Related to Suricata - Feature #6210: outputs: add verdict event typeNewJuliana Fajardini ReichowActions
Related to Suricata - Feature #5816: Exception policy stats countersResolvedJuliana Fajardini ReichowActions
Actions #1

Updated by Victor Julien over 1 year ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Juliana Fajardini Reichow
  • Target version changed from TBD to 8.0.0-beta1
Actions #2

Updated by Juliana Fajardini Reichow over 1 year ago

  • Related to Feature #6210: outputs: add verdict event type added
Actions #3

Updated by Juliana Fajardini Reichow over 1 year ago

  • Tracker changed from Bug to Feature

Changing this to "Feature", based on discussions.

Actions #4

Updated by Victor Julien over 1 year ago

The new (in 7) "stream" eve record type might be able to already help here. It logs the flags that include midstream:

{
  "timestamp": "2016-07-14T00:42:07.573174+0200",
  "flow_id": 1983485797392474,
  "pcap_cnt": 9,
  "event_type": "stream_tcp",
  "src_ip": "10.16.1.11",
  "src_port": 54186,
  "dest_ip": "82.165.177.154",
  "dest_port": 80,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "direction": "to_server",
  "stream_tcp": {
    "packet": {
      "len": 40,
      "tos": 0,
      "ttl": 64,
      "ipid": 36763,
      "tcpseq": 2059970576,
      "tcpack": 2548486955,
      "tcpwin": 237,
      "syn": false,
      "ack": true,
      "psh": false,
      "rst": false,
      "urg": false,
      "fin": false,
      "tcpres": 0,
      "tcpurgp": 0,
      "flags": [
        "state_update" 
      ]
    },
    "session": {
      "state": "closed",
      "pstate": "last_ack",
      "flags": {
        "flags": [
          "midstream",
          "midstream_synack",
          "3whs_confirmed" 
        ]
      },
      "client": {
        "isn": 2059970493,
        "next_seq": 2059970576,
        "last_ack": 2059970576,
        "next_win": 2060012943,
        "base_seq": 2059970494,
        "segs_right_edge": 2059970575,
        "window": 42368,
        "wscale": 7,
        "flags": [
          "appproto_detection_completed" 
        ]
      },
      "server": {
        "isn": 2548486694,
        "next_seq": 2548486955,
        "last_ack": 2548486955,
        "next_win": 2552369962,
        "base_seq": 2548486695,
        "segs_right_edge": 2548486954,
        "window": 3883008,
        "wscale": 14,
        "flags": [
          "appproto_detection_completed" 
        ]
      }
    }
  }
}

Actions #5

Updated by Juliana Fajardini Reichow 8 months ago

  • Related to Feature #5816: Exception policy stats counters added
Actions

Also available in: Atom PDF