aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc/netflow: Discuss netflow

Browse Source 
Add discussion for netflow configuration, event type and fields
contained in netflow records.

Issue: 5139
pull/13589/head
Jeff Lucovsky 10 months ago committed by Victor Julien
parent e4b3b75b23
commit 97b03b4076
3 changed files with 79 additions and 8 deletions
Show Stats Download Patch File Download Diff File

27
doc/userguide/output/eve/eve-json-format.rst
Unescape Escape View File

@ -3178,3 +3178,30 @@ Example of POP3 logging:
"data": []
}
}
Event type: Netflow
-------------------
Fields
~~~~~~
* "age": duration of the flow (measured from timestamp of last packet and first packet)
* "bytes": total number of bytes to client
* "end": date of the end of the flow
* "max_ttl": maximum observed Time-To-Live (TTL) value
* "min_ttl": minimum observed TTL value
* "pkts": total number of packets to client
* "start": date of start of the flow
* "tx_cnt": number of transactions seen in the flow (only present if flow has an application layer)
Example ::
"netflow": {
"pkts": 1,
"bytes": 160,
"start": "2013-02-26T17:02:42.907340-0500",
"end": "2013-02-26T17:02:42.907340-0500",
"age": 0,
"min_ttl": 1,
"max_ttl": 1
}

17
doc/userguide/output/eve/eve-json-output.rst
Unescape Escape View File

@ -348,6 +348,23 @@ YAML::
The logger is disabled by default since ARP can generate a large
number of events.
Netflow
~~~~~~~
Netflow records closely relate to flow records except that they are unidirectional while flow records
are bidirectional. This means that there will be twice as many netflow records as there are flow records.
Netflow records are disabled by default.
YAML::
#- netflow
To enable netflow, change this to::
- netflow:
enabled: yes
MQTT
~~~~

43
etc/schema.json
Unescape Escape View File

@ -3742,28 +3742,55 @@
"additionalProperties": false,
"properties": {
"age": {
"type": "integer"
"type": "integer",
"description": "Duration of the flow (measured from timestamp of last packet and first packet)",
"suricata": {
"keywords": [
"flow.age"
]
}
},
"bytes": {
"type": "integer"
"type": "integer",
"description": "Total number of bytes transferred to server/client",
"suricata": {
"keywords": [
"flow.bytes",
"flow.bytes_toserver",
"flow.bytes_toclient"
]
}
},
"end": {
"type": "string"
"type": "string",
"description": "Date of the end of the flow"
},
"max_ttl": {
"type": "integer"
"type": "integer",
"description": "Maximum observed Time-To-Live (TTL) value"
},
"min_ttl": {
"type": "integer"
"type": "integer",
"description": "Minimum observed TTL value"
},
"pkts": {
"type": "integer"
"type": "integer",
"description": "Total number of packets transferred to server,client",
"suricata": {
"keywords": [
"flow.pkts",
"flow.pkts_toserver",
"flow.pkts_toclient"
]
}
},
"start": {
"type": "string"
"type": "string",
"description": "Date of start of the flow"
},
"tx_cnt": {
"type": "integer"
"type": "integer",
"description": "Number of transactions seen in the flow (only present if flow has an application layer)"
}
},
"optional": true

Write Preview
Loading…
Cancel
Save