Project

General

Profile

Actions
Copy link

Optimization #7792

open

Suricata Threshold Rules and EVE File Optimization/suricata阈值规则eve文件优化

Added by xin lin about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

  1. Suricata 阈值规则功能优化请求
  1. 中文版本
  1. 功能需求概述

我希望对Suricata的阈值规则功能进行优化,特别是针对eve.json输出文件的增强。

  1. 现状问题

目前,当使用带有阈值设置的Suricata规则时,例如:

```
alert tcp any 21 -> any any (msg:"FTP login Brute-force attempt"; flow:to_client,established; content:"530|20|"; offset:0; depth:4; threshold:type both, track by_dst, count 10, seconds 60; classtype:attempted-user; sid:304462; rev:2; metadata: created_at 2023_02_01, updated_at 2023_02_01;)
```

对应的eve.json文件只包含触发告警时的单个flow_id:

```json {
"flow_id": 178438751661,
"alert": {
"signature_id": 304462,
...
}
}
```

  1. 存在的局限性

- 无法获取该阈值规则命中的所有flow_id
- 对于安全分析而言,完整的flow_id列表至关重要
- 无法通过Arkime等工具批量下载所有相关的pcap文件进行综合分析

  1. 优化建议

在eve.json的告警记录中添加一个新字段,包含该阈值规则匹配的所有flow_id。建议的JSON格式如下:

```json {
"flow_id": 178438751661,
"alert": {
"signature_id": 304462,
"threshold_flows": [
178438751661,
178438751662,
178438751663,
178438751664,
178438751665,
178438751666,
178438751667,
178438751668,
178438751669,
178438751610
],
...
}
}
```

  1. 预期效果

1. 完整性:能够获取阈值规则匹配的所有相关流量
2. 可追溯性:便于进行完整的攻击链分析
3. 工具集成:可与Arkime等网络分析工具无缝集成
4. 分析效率:支持批量下载和合并分析相关pcap文件

  1. English Version
  1. Feature Request Overview

I would like to request an optimization for Suricata's threshold rule functionality, specifically enhancing the eve.json output format.

  1. Current Issue

Currently, when using Suricata rules with threshold settings, such as:

```
alert tcp any 21 -> any any (msg:"FTP login Brute-force attempt"; flow:to_client,established; content:"530|20|"; offset:0; depth:4; threshold:type both, track by_dst, count 10, seconds 60; classtype:attempted-user; sid:304462; rev:2; metadata: created_at 2023_02_01, updated_at 2023_02_01;)
```

The corresponding eve.json file only contains the single flow_id that triggered the alert:

```json {
"flow_id": 178438751661,
"alert": {
"signature_id": 304462,
...
}
}
```

  1. Limitations

- Cannot obtain all flow_ids that matched the threshold rule
- Complete flow_id lists are crucial for security analysis
- Unable to batch download all related pcap files through tools like Arkime for comprehensive analysis

  1. Optimization Proposal

Add a new field in the eve.json alert record that contains all flow_ids matched by the threshold rule. Suggested JSON format:

```json {
"flow_id": 178438751661,
"alert": {
"signature_id": 304462,
"threshold_flows": [
178438751661,
178438751662,
178438751663,
178438751664,
178438751665,
178438751666,
178438751667,
178438751668,
178438751669,
178438751610
],
...
}
}
```

  1. Expected Benefits

1. Completeness: Ability to obtain all related traffic flows matched by threshold rules
2. Traceability: Facilitates complete attack chain analysis
3. Tool Integration: Seamless integration with network analysis tools like Arkime
4. Analysis Efficiency: Supports batch downloading and merged analysis of related pcap files

  1. Implementation Considerations

- The `threshold_flows` array should contain all flow_ids that contributed to reaching the threshold
- This field should only be present when the alert is generated by a threshold rule
- Consider memory and performance implications for rules with high threshold counts
- Maintain backward compatibility with existing eve.json parsers

No data to display

Actions
Copy link

Also available in: Atom PDF