Feature #7101: eve: add number of flowbits in protocol records and alerts - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #7101

open

eve: add number of flowbits in protocol records and alerts

Added by Peter Manev 5 months ago. Updated 4 months ago.

Status:

Feedback

Priority:

Normal

Assignee:

Peter Manev

Target version:

TBD

Effort:

Difficulty:

Label:

Description

Very useful for hunting can be the number of flowbits present in a protocol log or alert.
Details: https://www.stamus-networks.com/blog/suricata-threat-hunting-fundamentals.

The suggestion is to have a simple key/value added to the JSON logs indicating number of flowbits present.
This can also be achieved via SIEM aggregations but if present in the logs it enables for more detection formulas and mechanisms.

Related issues 1 (1 open — 0 closed)

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #7101

eve: add number of flowbits in protocol records and alerts

Updated by Jason Ish 4 months ago

Updated by Jason Ish 4 months ago

Updated by Lukas Sismis 4 months ago

Updated by Victor Julien 4 months ago