Actions
Feature #7096
opendetect/flow: additions to time detection
Description
Suricata produces by default flow logs. (event_type flow) that can be ingested and searched in a SIEM.
The flow timeout limits in the suricata.yaml control how long we keep tracking of a flow.
However there is a fine line between performance tuning and detection.
It will be great if possible to decouple somehow those.
For example, so that we could write a rule to alert on long unusual sessions (for SSH/RDP/TLS etc).
Some hands on examples and a pcap of 5hr+ long TLS sessions where this can be useful to alert.
https://www.activecountermeasures.com/malware-of-the-day-xenorat/
Updated by Peter Manev 6 months ago
- Subject changed from Additions to flow detection to Additions to flow detection - time
Updated by Philippe Antoine 6 months ago ยท Edited
@Peter Manev what more do you need than the already existing "flow.age" keyword ?
Updated by Victor Julien 6 months ago
- Is duplicate of Bug #5536: detect: flow.age keyword added
Updated by Victor Julien 6 months ago
- Subject changed from Additions to flow detection - time to detect/flow: additions to time detection
Actions