Optimization #7792
openSuricata Threshold Rules and EVE File Optimization/suricata阈值规则eve文件优化
Description
- Suricata 阈值规则功能优化请求
- 中文版本
- 功能需求概述
我希望对Suricata的阈值规则功能进行优化,特别是针对eve.json输出文件的增强。
- 现状问题
目前,当使用带有阈值设置的Suricata规则时,例如:
```
alert tcp any 21 -> any any (msg:"FTP login Brute-force attempt"; flow:to_client,established; content:"530|20|"; offset:0; depth:4; threshold:type both, track by_dst, count 10, seconds 60; classtype:attempted-user; sid:304462; rev:2; metadata: created_at 2023_02_01, updated_at 2023_02_01;)
```
对应的eve.json文件只包含触发告警时的单个flow_id:
```json
{
"flow_id": 178438751661,
"alert": {
"signature_id": 304462,
...
}
}
```
- 存在的局限性
- 无法获取该阈值规则命中的所有flow_id
- 对于安全分析而言,完整的flow_id列表至关重要
- 无法通过Arkime等工具批量下载所有相关的pcap文件进行综合分析
- 优化建议
在eve.json的告警记录中添加一个新字段,包含该阈值规则匹配的所有flow_id。建议的JSON格式如下:
```json
{
"flow_id": 178438751661,
"alert": {
"signature_id": 304462,
"threshold_flows": [
178438751661,
178438751662,
178438751663,
178438751664,
178438751665,
178438751666,
178438751667,
178438751668,
178438751669,
178438751610
],
...
}
}
```
- 预期效果
1. 完整性:能够获取阈值规则匹配的所有相关流量
2. 可追溯性:便于进行完整的攻击链分析
3. 工具集成:可与Arkime等网络分析工具无缝集成
4. 分析效率:支持批量下载和合并分析相关pcap文件
- English Version
- Feature Request Overview
I would like to request an optimization for Suricata's threshold rule functionality, specifically enhancing the eve.json output format.
- Current Issue
Currently, when using Suricata rules with threshold settings, such as:
```
alert tcp any 21 -> any any (msg:"FTP login Brute-force attempt"; flow:to_client,established; content:"530|20|"; offset:0; depth:4; threshold:type both, track by_dst, count 10, seconds 60; classtype:attempted-user; sid:304462; rev:2; metadata: created_at 2023_02_01, updated_at 2023_02_01;)
```
The corresponding eve.json file only contains the single flow_id that triggered the alert:
```json
{
"flow_id": 178438751661,
"alert": {
"signature_id": 304462,
...
}
}
```
- Limitations
- Cannot obtain all flow_ids that matched the threshold rule
- Complete flow_id lists are crucial for security analysis
- Unable to batch download all related pcap files through tools like Arkime for comprehensive analysis
- Optimization Proposal
Add a new field in the eve.json alert record that contains all flow_ids matched by the threshold rule. Suggested JSON format:
```json
{
"flow_id": 178438751661,
"alert": {
"signature_id": 304462,
"threshold_flows": [
178438751661,
178438751662,
178438751663,
178438751664,
178438751665,
178438751666,
178438751667,
178438751668,
178438751669,
178438751610
],
...
}
}
```
- Expected Benefits
1. Completeness: Ability to obtain all related traffic flows matched by threshold rules
2. Traceability: Facilitates complete attack chain analysis
3. Tool Integration: Seamless integration with network analysis tools like Arkime
4. Analysis Efficiency: Supports batch downloading and merged analysis of related pcap files
- Implementation Considerations
- The `threshold_flows` array should contain all flow_ids that contributed to reaching the threshold
- This field should only be present when the alert is generated by a threshold rule
- Consider memory and performance implications for rules with high threshold counts
- Maintain backward compatibility with existing eve.json parsers
No data to display