Project

General

Profile

Actions
Copy link

Feature #7101

open

eve: add number of flowbits in protocol records and alerts

Added by Peter Manev 5 months ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Peter Manev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Very useful for hunting can be the number of flowbits present in a protocol log or alert.
Details: https://www.stamus-networks.com/blog/suricata-threat-hunting-fundamentals.

The suggestion is to have a simple key/value added to the JSON logs indicating number of flowbits present.
This can also be achieved via SIEM aggregations but if present in the logs it enables for more detection formulas and mechanisms.

Related issues 1 (1 open0 closed)

Related to Suricata - Task #2167: tracking: eve enhancementsNewOISF DevActions
Actions
Copy link
 #1

Updated by Jason Ish 4 months ago

  • Related to Task #2167: tracking: eve enhancements added
Actions
Copy link
 #2

Updated by Jason Ish 4 months ago

Would probably make sense to add for xbits, etc.

Elastic does have the value_count agg though.

Actions
Copy link
 #3

Updated by Lukas Sismis 4 months ago

  • Status changed from New to Feedback
  • Assignee changed from OISF Dev to Peter Manev
Actions
Copy link
 #4

Updated by Victor Julien 4 months ago

  • Subject changed from add number of flowbits in protocol JSON logs and alerts to eve: add number of flowbits in protocol records and alerts
Actions
Copy link

Also available in: Atom PDF