Project

General

Profile

Actions

Feature #7101

open

eve: add number of flowbits in protocol records and alerts

Added by Peter Manev 6 months ago. Updated 6 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Very useful for hunting can be the number of flowbits present in a protocol log or alert.
Details: https://www.stamus-networks.com/blog/suricata-threat-hunting-fundamentals.

The suggestion is to have a simple key/value added to the JSON logs indicating number of flowbits present.
This can also be achieved via SIEM aggregations but if present in the logs it enables for more detection formulas and mechanisms.


Related issues 1 (1 open0 closed)

Related to Suricata - Task #2167: tracking: eve enhancementsNewOISF DevActions
Actions #1

Updated by Jason Ish 6 months ago

  • Related to Task #2167: tracking: eve enhancements added
Actions #2

Updated by Jason Ish 6 months ago

Would probably make sense to add for xbits, etc.

Elastic does have the value_count agg though.

Actions #3

Updated by Lukas Sismis 6 months ago

  • Status changed from New to Feedback
  • Assignee changed from OISF Dev to Peter Manev
Actions #4

Updated by Victor Julien 6 months ago

  • Subject changed from add number of flowbits in protocol JSON logs and alerts to eve: add number of flowbits in protocol records and alerts
Actions

Also available in: Atom PDF