1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
Tag
===
The `tag` keyword allows tagging of the current and future packets.
Tagged packets can be logged in `EVE` and conditional PCAP logging.
Tagging is limited to a scope: `host` or `session` (flow). When using `host` a
direction can be specified: `src` or `dst`. Tagging will then occur based on the
`src` or `dst` IP address of the packet generating the alert.
Tagging is further controlled by count: `packets`, `bytes` or `seconds`. If the
count is ommited built-in defaults will be used:
- for `session`: 256 packets
- for `host`: 256 packets for the destination IP of the packet triggering the alert
The `tag` keyword can appear multiple times in a rule.
Syntax
~~~~~~
::
tag:<scope>[,<count>, <metric>[,<direction>]];
Values for `scope`: `session` and `host`
Values for `metric`: `packets`, `bytes`, `seconds`
Values for `direction`: `src` and `dst`
.. note:: "direction" can only be specified if scope is "host" and both "count"
and "metric" are also specified.
Examples
~~~~~~~~
Keyword::
tag:session; # tags next 256 packets in the flow
tag:host; # tags next 256 packets for the dst ip of the alert
tag:host,100,packets,src; # tags next 100 packets for src ip of the alert
tag:host,3600,seconds,dst; # tags packets for dst host for the next hour
Full rule examples:
.. container:: example-rule
alert dns any any -> any any (dns.query; content:"evil"; tag:host,60,seconds,src; sid:1;)
.. container:: example-rule
alert http any any -> any any (http.method; content:"POST"; tag:session; sid:1;)
How to Use Tags
~~~~~~~~~~~~~~~
EVE
"""
Tags can be set to generate `EVE` `tag` records:
.. code-block:: yaml
outputs:
- eve-log:
enabled: yes
filename: eve.json
types:
- alert:
tagged-packets: true
The tagged packets will then be logged with `event_type`: `packet`:
.. code-block:: json
{
"timestamp": "2020-06-03T10:29:17.850417+0000",
"flow_id": 1576832511820424,
"event_type": "packet",
"src_ip": "192.168.0.27",
"src_port": 54634,
"dest_ip": "192.168.0.103",
"dest_port": 22,
"proto": "TCP",
"pkt_src": "wire/pcap",
"packet": "CAAn6mWJAPSNvfrHCABFAAAogkVAAIAG9rfAqAAbwKgAZ9VqABZvnJXH5Zf6aFAQEAljEwAAAAAAAAAA",
"packet_info": {
"linktype": 1
}
}
EVE: :ref:`Eve JSON Output <eve-json-output>`
Conditional PCAP Logging
""""""""""""""""""""""""
Using the conditional PCAP logging option the tag keyword can control which
packets are logged by the PCAP logging.
.. code-block:: yaml
outputs:
- pcap-log:
enabled: yes
filename: log.pcap
limit: 1000mb
max-files: 2000
compression: none
mode: normal
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
# Use "all" to log all packets or use "alerts" to log only alerted packets and flows or "tag"
# to log only flow tagged via the "tag" keyword
conditional: tag
PCAP Logging: :ref:`PCAP log <suricata_yaml_pcap_log>`
Tracking by Host/Flow
~~~~~~~~~~~~~~~~~~~~~
When the tags are using the `session` scope, the tag is added to the
`Flow` structure. If a packet has no flow, no tagging will happen. No
errors/warnings are generated for this.
See :ref:`Flow Settings <suricata-yaml-flow-settings>` for managing flow
limits and resources.
When tags are using the `host` scope, the tag is stored with a `Host`
object in the host table. The Host table size will affect effectiveness
of per host tags.
See :ref:`Host Settings <suricata-yaml-host-settings>` for managing host
table size.
|
