Feature #5647
open
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Shivani Bhardwaj
- Target version changed from TBD to 8.0.0-beta1
- Priority changed from Normal to High
Idea here is that based on #5536, #3271, #5646 you can set a flag in the flow that is then added to eve.flow logs.
Q: Why can't we just set a flowbit based on flow bytes count and flow age?
I'm thinking:
1. have a setting in suricata.yaml that indicates the number of bytes and age of the flow after which a flow should be considered elephant flow.
2. allow overriding that setting for specific flows with a rule flag to the flow.bytes.. keyword that marks a flow elephant flow. Syntax could be something like flow.bytes_toserver:>=100000000,elephant incorrect since this does not take the age of the flow into account.
3. log elephant flow counter (unique elephant flows) in eve
Thoughts?
Note: What gets done with such a flow is not in scope of this ticket.
- Status changed from Assigned to In Review
Also available in: Atom
PDF