-
Notifications
You must be signed in to change notification settings - Fork 0
Flow Statistics Plugin
Jacob van Walraven edited this page Mar 2, 2020
·
18 revisions
The Flow statistics plugin exports flow information for each protocol defined in its configuration. The following fields are exported:
- flow_id - Unique flow_id for the flow
- protocol - libprotoident protocol for the flow
- category - libprotoident category for the flow
- type - (flow_start, flow_interval or flow_end)
- start_ts - The starting timestamp for the flow.
- duration - The current duration of the flow.
- ttfb - The time taken to receive the first byte of payload data.
- end_ts - The ending timestamp for the flow (only for flow_end type).
- source_ip - source ip address for the flow.
- destination_ip - destination ip address for the flow.
- src_port - source port for the flow.
- dst_port - destination port for the flow.
- in_bytes - number of inbound bytes seen since the last report.
- out_bytes - number of outbound bytes seen since the last report.
- in_bytes_total - total number of inbound bytes seen for the flow.
- out_bytes_total - total number of outbound bytes seen for the flow.
- tls - if export_tls is enabled the following additional fields are exported for TLS flows:
version - the tls version used.
version_text - the tls version text.
cipher - the tls cipher used.
cipher_text - the tls cipher text.
handshake_complete - Did all handshake packets get processed.
handshake_finished - Is the TLS handshake finished / has application data has been seen.
client {
ja3
supported_ciphers []
certificates []
}
server }
ja3
certificates []
}
alt_names []
SHA1
not_before
not_after
version
public_key_size
signature_algorithm
public_key_algorithm
serial
certificate_authority
subject {
common_name
organization
country
}
issuer {
common_name
organization
country
}
# flow statistics
flow_statistics:
enabled: 0
# how often to output results (seconds)
output_interval: 60
# protocols to output flow information for. Refer to each Libprotoident
# (https://github.com/wanduow/libprotoident) plugins for correct names.
# Use ALL to output flow information for every protocol.
protocols:
- HTTP
- SSH
- HTTPS
# protocol categories to output flow information for. Refer to Libprotoident
# for category names.
protocol_categories:
- Remote_Access
# export tls related fields on tls flows. These include the ja3_md5 hash for
# the client/server hello messages and the hostname requested in the client
# hello.
export_tls: 1
{
"source": {
"ip": "xxx.xxx.xxx.xxx",
"port": 50276
},
"destination": {
"ip": "yyy.yyy.yyy.yyy",
"port": 10050
},
"flow": {
"id": 6137,
"protocol": "SSL/TLS",
"category": "Encryption",
"type": "flow_start",
"start_ts": 1582855141000,
"duration": 0.045701,
"ttfb": 0.045701,
"in_bytes": 63,
"out_bytes": 326,
"in_bytes_total": 63,
"out_bytes_total": 326,
"tls": {
"version": 771,
"version_text": "TLS 1.2",
"cipher": 140,
"cipher_text": "TLS_PSK_WITH_AES_128_CBC_SHA",
"handshake_complete": true,
"handshake_finished": false,
"client": {
"ja3": "5d0b92c735f2b88891fba74c386118ce",
"supported_ciphers": [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
"UNKNOWN",
"TLS_PSK_WITH_AES_128_GCM_SHA256",
"TLS_PSK_WITH_AES_128_CCM_8",
"TLS_PSK_WITH_AES_128_CCM",
"TLS_PSK_WITH_AES_128_CBC_SHA256",
"TLS_PSK_WITH_AES_128_CBC_SHA",
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
],
"certificates": []
},
"server": {
"ja3s": "3b89a26c33d3f6fa36c0496007883b7e",
"certificates": []
}
},
},
"module": "flow_statistics",
"timestamp": 1582855141000
}