Project

General

Profile

Actions

Bug #2217

closed

event_type flow is missing icmpv4 (while it has icmpv6) info wherever available

Added by Peter Manev over 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Originally reported on SELKS user list by Brandon.

This would exist for IPv6-ICMP but not for IPv4-ICMP


{
  "timestamp": "2017-09-26T00:43:30.001064+0200",
  "flow_id": 1140273124741010,
  "event_type": "flow",
  "src_ip": "2001:xxxxxxx",
  "dest_ip": "2a02:0xxxxxx",
  "proto": "IPv6-ICMP",
  "icmp_type": 1,
  "icmp_code": 0,
  "flow": {
    "pkts_toserver": 1,
    "pkts_toclient": 0,
    "bytes_toserver": 138,
    "bytes_toclient": 0,
    "start": "2017-09-26T00:43:24.331666+0200",
    "end": "2017-09-26T00:43:24.331666+0200",
    "age": 0,
    "state": "new",
    "reason": "timeout",
    "alerted": false
  }
}


Related issues 1 (0 open1 closed)

Blocked by Suricata - Feature #2292: flow: add icmpv4 and improve icmpv6 flow handlingClosedVictor JulienActions
Actions #1

Updated by Eric Leblond over 7 years ago

This behavior has been introduced by commit:548a3b2c93aed79e39a34ee9dd4c68f43a27f363. Idea was not to create flows for icmp error messages.

Actions #2

Updated by Victor Julien over 7 years ago

I can imagine it would make sense to create a flow for echo/echoreply. But other than echo/echoreply what icmp should lead to a flow?

Actions #3

Updated by brandon okuszka about 7 years ago

Good morning,

I initially reported this issue in the SELKS Google group. In this case, I'm attempting to use the suricata logs and elk stack to analyze icmp v4/v6 traffic (among other things). Ideally, I'd like to be able to see all icmp types. Still, flows for echo request and reply alone would be beneficial. As of right now the only workaround is to generate simple alerts based off icmp type. I'd like to avoid that if possible. Would there be a way to turn off / on the creation of icmp flows?

Actions #4

Updated by Andreas Herz about 7 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #5

Updated by Victor Julien about 7 years ago

  • Blocked by Feature #2292: flow: add icmpv4 and improve icmpv6 flow handling added
Actions #6

Updated by Victor Julien about 7 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
Actions #7

Updated by Victor Julien over 6 years ago

  • Status changed from Assigned to Closed
  • Target version changed from TBD to 4.1rc1
Actions

Also available in: Atom PDF