Project

General

Profile

Actions

Feature #7096

open

detect/flow: additions to time detection

Added by Peter Manev 5 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Suricata produces by default flow logs. (event_type flow) that can be ingested and searched in a SIEM.

The flow timeout limits in the suricata.yaml control how long we keep tracking of a flow.
However there is a fine line between performance tuning and detection.
It will be great if possible to decouple somehow those.

For example, so that we could write a rule to alert on long unusual sessions (for SSH/RDP/TLS etc).
Some hands on examples and a pcap of 5hr+ long TLS sessions where this can be useful to alert.
https://www.activecountermeasures.com/malware-of-the-day-xenorat/


Related issues 1 (0 open1 closed)

Is duplicate of Suricata - Bug #5536: detect: flow.age keywordClosedPhilippe AntoineActions
Actions #1

Updated by Peter Manev 5 months ago

  • Subject changed from Additions to flow detection to Additions to flow detection - time
Actions #2

Updated by Philippe Antoine 4 months ago ยท Edited

@Peter Manev what more do you need than the already existing "flow.age" keyword ?

Actions #3

Updated by Victor Julien 4 months ago

  • Is duplicate of Bug #5536: detect: flow.age keyword added
Actions #4

Updated by Victor Julien 4 months ago

  • Subject changed from Additions to flow detection - time to detect/flow: additions to time detection
Actions

Also available in: Atom PDF