Project

General

Profile

Actions

Feature #821

open

conditional logging: output steering

Added by Matt Carothers over 8 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
medium
Difficulty:
high
Label:

Description

I would like to be able to log (or not) in various formats on a rule-by-rule basis. For example, I would like to see all HTTP requests directed at a particular sinkhole. It would be nice if I could simply add a rule like this:

alert tcp $HOME_NET any -> $SINKHOLE_NET 80 (msg:"Sinkhole HTTP"; content:"GET /"; log:http;)

Or better yet, I'd like to be able to define my own log keywords in suricata.yaml in order to direct debug, pcap, or http logging at different files for different rules.

outputs:
  - debug1
      format: alert-debug
      enabled: conditional # 'yes' - enable for all alerts, 'no' - disable, 'conditional' - enable for rules using a log keyword
      filename: alert-debug1.log
      append: yes
      filetype: regular
  - sinkhole-http
      format: http-log
      enabled: conditional
      filename: sinkhole-http.log
      append: yes


alert tcp $HOME_NET any -> $SINKHOLE_NET 80 (msg:"Sinkhole HTTP"; content:"GET /"; log:sinkhole-http;)
alert tcp any 84 -> $HOME_NET any (msg:"Investigating strange traffic"; log:debug1;)

Related issues

Related to Feature #1005: conditional logging: controlling what gets loggedAssignedVictor JulienActions
Related to Support #4172: Split eve.json into multiple files based on alert severityNewActions
Actions #1

Updated by Victor Julien almost 8 years ago

  • Target version set to TBD
Actions #2

Updated by Andreas Herz over 5 years ago

  • Assignee set to OISF Dev
Actions #3

Updated by Andreas Herz over 4 years ago

  • Related to Feature #1005: conditional logging: controlling what gets logged added
Actions #4

Updated by Andreas Herz over 4 years ago

  • Related to Feature #1005: conditional logging: controlling what gets logged added
Actions #5

Updated by Andreas Herz over 4 years ago

  • Related to deleted (Feature #1005: conditional logging: controlling what gets logged)
Actions #6

Updated by Victor Julien about 3 years ago

  • Assignee changed from OISF Dev to Anonymous
  • Effort set to medium
  • Difficulty set to high
Actions #7

Updated by Andreas Herz over 2 years ago

  • Assignee set to Community Ticket
Actions #8

Updated by Victor Julien almost 2 years ago

What about a option to make a logger depend on the presence of a flowbit? Then rules can set this.

Actions #9

Updated by Victor Julien almost 2 years ago

  • Subject changed from Conditional logging to conditional logging: output steering
Actions #10

Updated by Victor Julien 10 months ago

  • Related to Support #4172: Split eve.json into multiple files based on alert severity added
Actions

Also available in: Atom PDF