Project

General

Profile

Actions
Copy link

Feature #3316

open

Unix socket: support dumping flow table

Added by Victor Julien almost 5 years ago. Updated almost 5 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Idea is to use the unix socket interface dump the flow table. This could be used to analyse the internal state of flows.

The conntrack tool from Linux/Netfilter could be an example.

Related issues 3 (3 open0 closed)

Related to Suricata - Task #3288: Suricon 2019 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #3295: Unix socket: support to receive flow shunting informationNewCommunity TicketActions
Related to Suricata - Task #3301: Research: Failover support within the current IPS implementationNewCommunity TicketActions
Actions
Copy link
 #1

Updated by Victor Julien almost 5 years ago

  • Related to Task #3288: Suricon 2019 brainstorm added
Actions
Copy link
 #2

Updated by Victor Julien almost 5 years ago

  • Related to Feature #3295: Unix socket: support to receive flow shunting information added
Actions
Copy link
 #3

Updated by Victor Julien almost 5 years ago

Suggestions about use cases and things like syntax and such are welcome.

Actions
Copy link
 #4

Updated by Victor Julien almost 5 years ago

  • Description updated (diff)
Actions
Copy link
 #5

Updated by Danny Browning almost 5 years ago

One thing as we were exploring saving flow state is that there is not currently a stable identifier for flows between suricata runs. If we plan to load the dumped flow table, flow hash_id will need to be stable (no seed), or support for community flow id will need to be added to flow as a way to marry dumped state and captured flows.

Actions
Copy link
 #6

Updated by Victor Julien almost 4 years ago

  • Related to Task #3301: Research: Failover support within the current IPS implementation added
Actions
Copy link

Also available in: Atom PDF