From 97b03b4076909a06ed961e119e19ef79fb4048b0 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Sat, 28 Jun 2025 10:18:49 -0400 Subject: [PATCH] doc/netflow: Discuss netflow Add discussion for netflow configuration, event type and fields contained in netflow records. Issue: 5139 --- doc/userguide/output/eve/eve-json-format.rst | 27 ++++++++++++ doc/userguide/output/eve/eve-json-output.rst | 17 ++++++++ etc/schema.json | 43 ++++++++++++++++---- 3 files changed, 79 insertions(+), 8 deletions(-) diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst index 180fe6ca04..70bad2cdff 100644 --- a/doc/userguide/output/eve/eve-json-format.rst +++ b/doc/userguide/output/eve/eve-json-format.rst @@ -3178,3 +3178,30 @@ Example of POP3 logging: "data": [] } } + +Event type: Netflow +------------------- + +Fields +~~~~~~ + +* "age": duration of the flow (measured from timestamp of last packet and first packet) +* "bytes": total number of bytes to client +* "end": date of the end of the flow +* "max_ttl": maximum observed Time-To-Live (TTL) value +* "min_ttl": minimum observed TTL value +* "pkts": total number of packets to client +* "start": date of start of the flow +* "tx_cnt": number of transactions seen in the flow (only present if flow has an application layer) + +Example :: + + "netflow": { + "pkts": 1, + "bytes": 160, + "start": "2013-02-26T17:02:42.907340-0500", + "end": "2013-02-26T17:02:42.907340-0500", + "age": 0, + "min_ttl": 1, + "max_ttl": 1 + } diff --git a/doc/userguide/output/eve/eve-json-output.rst b/doc/userguide/output/eve/eve-json-output.rst index 6b96b56b46..4b49fb5078 100644 --- a/doc/userguide/output/eve/eve-json-output.rst +++ b/doc/userguide/output/eve/eve-json-output.rst @@ -348,6 +348,23 @@ YAML:: The logger is disabled by default since ARP can generate a large number of events. +Netflow +~~~~~~~ + +Netflow records closely relate to flow records except that they are unidirectional while flow records +are bidirectional. This means that there will be twice as many netflow records as there are flow records. + +Netflow records are disabled by default. + +YAML:: + + #- netflow + +To enable netflow, change this to:: + + - netflow: + enabled: yes + MQTT ~~~~ diff --git a/etc/schema.json b/etc/schema.json index 366a50d1d8..2ba472f5aa 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -3742,28 +3742,55 @@ "additionalProperties": false, "properties": { "age": { - "type": "integer" + "type": "integer", + "description": "Duration of the flow (measured from timestamp of last packet and first packet)", + "suricata": { + "keywords": [ + "flow.age" + ] + } }, "bytes": { - "type": "integer" + "type": "integer", + "description": "Total number of bytes transferred to server/client", + "suricata": { + "keywords": [ + "flow.bytes", + "flow.bytes_toserver", + "flow.bytes_toclient" + ] + } }, "end": { - "type": "string" + "type": "string", + "description": "Date of the end of the flow" }, "max_ttl": { - "type": "integer" + "type": "integer", + "description": "Maximum observed Time-To-Live (TTL) value" }, "min_ttl": { - "type": "integer" + "type": "integer", + "description": "Minimum observed TTL value" }, "pkts": { - "type": "integer" + "type": "integer", + "description": "Total number of packets transferred to server,client", + "suricata": { + "keywords": [ + "flow.pkts", + "flow.pkts_toserver", + "flow.pkts_toclient" + ] + } }, "start": { - "type": "string" + "type": "string", + "description": "Date of start of the flow" }, "tx_cnt": { - "type": "integer" + "type": "integer", + "description": "Number of transactions seen in the flow (only present if flow has an application layer)" } }, "optional": true