Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at stenographer@googlegroups.com
Apache License 2.0
1.79k
stars
233
forks
source link
Wishlist: Community ID indexed flow extraction #210
IDS developers have recently started to introduce a cross-vendor, symmetric, reproducible algorithm to derive flow identifiers, called Community ID (see https://github.com/corelight/community-id-spec). This is being adopted at least by Suricata and Zeek/Bro, for now.
It would be useful to have packets stored by stenographer indexed by their community IDs so whole flows can be efficiently extracted at query time for a given ID. This would allow for better interoperability between the detection side (IDS) and the storage side (stenographer).
IDS developers have recently started to introduce a cross-vendor, symmetric, reproducible algorithm to derive flow identifiers, called Community ID (see https://github.com/corelight/community-id-spec). This is being adopted at least by Suricata and Zeek/Bro, for now. It would be useful to have packets stored by stenographer indexed by their community IDs so whole flows can be efficiently extracted at query time for a given ID. This would allow for better interoperability between the detection side (IDS) and the storage side (stenographer).