Thanks for open-sourcing this project. We have used Tulip during a CTF with a few patches of our own that we'd now like to contribute back into the original project.
This pull request adds the ability to tag traffic based on flowbits encountered in the eve.json file.
We really like the tagging system and interface that Tulip provides. However, we wanted the ability to not just include interesting traffic, but also the ability to exclude 'boring' traffic. We wanted to tag traffic that we didn't find that interesting, but noticed that the enricher could only tag traffic based on alerts. As we want to alert only on traffic that we were interested in, we wanted a different way to tag traffic.
As flowbits are by default included for every flow in the eve.json file, we can just use that information to add tags to flows, similarly to how tags are already added based on alerts. By default, this option is enabled, but can be disabled by setting the flowbits option to false when starting the enricher.
Thanks for open-sourcing this project. We have used Tulip during a CTF with a few patches of our own that we'd now like to contribute back into the original project.
This pull request adds the ability to tag traffic based on flowbits encountered in the
eve.json
file.We really like the tagging system and interface that Tulip provides. However, we wanted the ability to not just include interesting traffic, but also the ability to exclude 'boring' traffic. We wanted to tag traffic that we didn't find that interesting, but noticed that the enricher could only tag traffic based on alerts. As we want to alert only on traffic that we were interested in, we wanted a different way to tag traffic.
As flowbits are by default included for every flow in the
eve.json
file, we can just use that information to add tags to flows, similarly to how tags are already added based on alerts. By default, this option is enabled, but can be disabled by setting theflowbits
option to false when starting the enricher.