Actions
Feature #7047
closed
JI
JF
eve: add ip version field
Feature #7047:
eve: add ip version field
Effort:
Difficulty:
Label:
Description
Add a field to EVE records specifying the IP version.
Use case: I wanted to limit a set of eve records down to just IPv4 as there were a lot of IPv6 records in the stream, and there was no field to filter on short of a regular express on the IP addresses.
It actually doesn't seem common for other tools in this space to log this field either. Instead it is often added by post-processing tools based on inspecting the IP addresses.
Possible examples:
"ip_ver": 4
or a key of "ipv, "ip_version", I think this fits our current schema the best.
But I've also seen:
"network_type": "ipv4"
PA Updated by Philippe Antoine about 1 year ago
Was this not solved by cbda276aebf4657fed709368028d6b21acf5c4e7 from #7129
PA Updated by Philippe Antoine about 1 year ago
- Related to Feature #7129: decode: Create a decode event for unknown ethertypes added
VJ Updated by Victor Julien about 1 year ago
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
VJ Updated by Victor Julien 11 months ago
VJ Updated by Victor Julien 11 months ago
"ip_v":4 is the format we'd want.
VJ Updated by Victor Julien 11 months ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
JF Updated by Juliana Fajardini Reichow 11 months ago
- Status changed from Assigned to In Progress
JF Updated by Juliana Fajardini Reichow 11 months ago
- Status changed from In Progress to In Review
PR for review: https://github.com/OISF/suricata/pull/13191
JF Updated by Juliana Fajardini Reichow 11 months ago
- Status changed from In Review to Closed
Merged with https://github.com/OISF/suricata/pull/13201
Actions