💾 Archived View for radia.bortzmeyer.org › fosdem › event-11228.gmi captured on 2023-12-28 at 20:18:03. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-06-14)
-=-=-=-=-=-=-
Christian Kreibich
Type devroom
Simple flow tuple correlation for Zeek, Suricata, and beyond
Starts on day 2 (2021-02-07) at 17:40 (Brussels time, UTC+1) in room Sdn (duration 00:20)
Matrix room #sdn:fosdem.org
Network security practitioners frequently need to correlate logs and alerts produced by the systems installed in their networks. For example, a Suricata alert might require the context of Zeek's connection logs for the alert to become actionable. Normally the best way to make such correlations is by manually identifying the flow tuple involved, in each of the monitor outputs involved, around the timestamps in question -- a tedious and error-prone task.
To simplify this process we're standardizing a straightforward algorithm, dubbed "Community ID" (https://github.com/corelight/community-id-spec), that produces short textual hashes that reliably identify network flows directly at the source. Flow correlation then becomes a straightforward string comparison operation. Popular open-source network monitoring solutions now include support for this emerging standard, including Suricata, Wireshark, and Zeek, and there's a growing library of reusable implementations in various common programming languages.
In this talk we will motivate the Community ID standard, report on its current implementation status, and demonstrate it to the community.