Project

General

Profile

Actions
Copy link

Feature #7101

open
PM PM

eve: add number of flowbits in protocol records and alerts

Feature #7101: eve: add number of flowbits in protocol records and alerts

Added by Peter Manev almost 2 years ago. Updated almost 2 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
Peter Manev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Very useful for hunting can be the number of flowbits present in a protocol log or alert.
Details: https://www.stamus-networks.com/blog/suricata-threat-hunting-fundamentals.

The suggestion is to have a simple key/value added to the JSON logs indicating number of flowbits present.
This can also be achieved via SIEM aggregations but if present in the logs it enables for more detection formulas and mechanisms.

Related issues 1 (1 open0 closed)

Related to Suricata - Task #2167: tracking: eve enhancementsNewOISF DevActions

JI Updated by Jason Ish almost 2 years ago Actions
Copy link
 #1

  • Related to Task #2167: tracking: eve enhancements added

JI Updated by Jason Ish almost 2 years ago Actions
Copy link
 #2

Would probably make sense to add for xbits, etc.

Elastic does have the value_count agg though.

LS Updated by Lukas Sismis almost 2 years ago Actions
Copy link
 #3

  • Status changed from New to Feedback
  • Assignee changed from OISF Dev to Peter Manev

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #4

  • Subject changed from add number of flowbits in protocol JSON logs and alerts to eve: add number of flowbits in protocol records and alerts
Actions
Copy link

Also available in: PDF Atom