It seems alerts don’t specify the flow direction (which side is client/server). The tuple order in the alert is the order of the packet that fired the alert. I see there’s a feature request still pending here to add this. Is there any other way to get this information. Would writing a Lua output script be the best alternative?
Also, question on Lua scripting: with needs["type"] = "flow", when does that fire the log function? When the flow closes? If so, that may be too late for long-running flows because I need to get the flow direction around the same time the alert fires. I only need this information for alerted flows, not all flows. Thanks for any help or suggestions!
Yes, I have seen those. Those are for defining rules. As I understand it, you can use that to specify which direction a rule should match on. The issue I am having is not how to write a rule, but how to know (log) the direction of a flow (not the direction of the packet/match), for all alerts, regardless if they only match in one direction or both directions. So, basically, for TCP flows that alert, I want to know which ip/port was the client and which ip/port was the server.