Project

General

Profile

Actions
Copy link

Feature #7096

open

detect/flow: additions to time detection

Added by Peter Manev 5 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Suricata produces by default flow logs. (event_type flow) that can be ingested and searched in a SIEM.

The flow timeout limits in the suricata.yaml control how long we keep tracking of a flow.
However there is a fine line between performance tuning and detection.
It will be great if possible to decouple somehow those.

For example, so that we could write a rule to alert on long unusual sessions (for SSH/RDP/TLS etc).
Some hands on examples and a pcap of 5hr+ long TLS sessions where this can be useful to alert.
https://www.activecountermeasures.com/malware-of-the-day-xenorat/

Related issues 1 (0 open1 closed)

Is duplicate of Suricata - Bug #5536: detect: flow.age keywordClosedPhilippe AntoineActions
Actions
Copy link

Also available in: Atom PDF