suricta: add error handling when extracting suricata flows

stratosphereips · Aug 5, 2024 · 0b21f04 · 0b21f04
1 parent 5f51dd1
commit 0b21f04
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/parsers/suricata.py b/parsers/suricata.py
@@ -40,6 +40,8 @@ def extract_flow(self, line: str) -> dict:
         or icmp type and code from icmp flows from the given line
         :param line: suricata line as read from the file
         """
+        if not "flow" in line:
+            return {}
         proto = line['proto'].lower()
         flow = {
             'timestamp':  line['flow']['start'],
@@ -101,8 +103,14 @@ def parse(self):
                         # only read benign flows and alert events
                         continue
 
-
                     flow: dict = self.extract_flow(line)
+                    if not flow:
+                        self.log("",
+                                 f"Problem extracting suricata flow "
+                                 f"from line: {line} .. Skipping line.",
+                                 error=True)
+                        continue
+
                     original_ts = flow['timestamp']
                     timestamp = self.timestamp_handler.convert_iso_8601_to_unix_timestamp(flow['timestamp'])
                     flow['timestamp'] = timestamp