Project

General

Profile

Actions
Copy link

Feature #6215

closed

flow/output: log triggered exception policy

Added by Jamie Lavigne about 2 years ago. Updated 29 days ago.

Status:
Closed
Priority:
High
Assignee:
Juliana Fajardini Reichow
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

A compliment to exception policy stats counters [1], we have some customers that would find it valuable to support logging some information on flows that caused exception policies to be triggered. This is most useful for the midstream policy, where users are interested in identifying the flows that matched the policy so that they can troubleshoot common causes such as asymmetric routing in their network. It may be useful for other exception policies as well, but we don't have as clear of an immediate use case for those.

This might make sense as either a flow log output or an alert log output.

[1] https://redmine.openinfosecfoundation.org/issues/5816

Related issues 4 (1 open3 closed)

Related to Suricata - Feature #6210: outputs: add verdict event typeNewJuliana Fajardini ReichowActions
Related to Suricata - Feature #5816: stats: exception policy countersClosedJuliana Fajardini ReichowActions
Related to Suricata - Optimization #7185: stats: exceptions: use search-friendly log outputClosedJuliana Fajardini ReichowActions
Related to Suricata - Feature #7623: flow/output: log triggered exception policy (7.0.x backport)ClosedJuliana Fajardini ReichowActions
Actions
Copy link

Also available in: Atom PDF