[Filebeat] Netflow input - expand TCP controls bits to list of named flags #12858
Labels
enhancement
Filebeat
Filebeat
Team:Security-Deployment and Devices
Deployment and Devices Team in Security Solution
Comments
|
I agree with this. Here is a full list of TCP flag conversions: |
|
There's an implementation in Flowbeat (the POC for the netflow input in Filebeat). https://github.com/andrewkroh/flowbeat/blob/f0ae1113928f83b81442b92863975d82ef2308c2/beater/tcpflags.go |
|
Pinging @elastic/siem (Team:SIEM) |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
5 tasks
andrewkroh
added
the
Team:Security-Deployment and Devices
|
Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While converting the Logstash dashboards to work with Filebeat I didn't see anywhere that the tcpControlBits field gets expanded to a list of flags (e.g. 30 is SYN, RST, PSH, ACK). I think this would be nice enhancement and might make it easier to visualize the flags or filter flows based on a flag.
The text was updated successfully, but these errors were encountered: