IPv6 compact version support in Suricata Alerts

Aaron_Chen_Xu · July 30, 2024, 6:02am

Please include the following information with your help request:

Suricata version: 7.0.4

Operating system and/or Linux distribution: RHEL8

How you installed Suricata: From official package

The suricata_alerts dataset seems to used fully-expanded IP6 fields, for example for the format:
2620:0149:0004:3d99:fc4e:ec13:0247:6c28,
instead of:
2620:149:4:3d99:fc4e:ec13:247:6c28.

Consider many other systems are using the “A Compact Representation of IPv6 Addresses: RFC 1924 - A Compact Representation of IPv6 Addresses”.

In order to better co-operate/co-reference during network analysis operations, is there a way to configure the Suricata into the compact IPv6 format version into its output log/alert? If this is not available now, is it in the development roadmap?

Many Thanks!
br./Aaron

vjulien · July 30, 2024, 7:12am

I guess it could be added as an option, but it’s not planned. Might be a good feature for someone looking to get into contributing.

Feel free to open a feature ticket.

Topic		Replies	Views
IPv6 alerts always have the same IP for the source and destination	8	1100	September 16, 2020
Support for DNS over IPv6 Help	1	371	June 12, 2020
How to get the IP version (IPV4 vs IPV6) of an alert using eve.json	2	479	July 7, 2021
Suricata yaml IPv6 Range Help suricata	1	617	April 16, 2022
Suricata alerts by src_IP Tips and Tricks	0	513	June 6, 2022

IPv6 compact version support in Suricata Alerts

Related topics