<div>Hi,</div>
<div> </div>
<div>Is there a chance that you can share a small pcap for this? privately if you would like - lets say for a smaller amount of time - that would be possible to be mailed....</div>
<div>Please have in mind that Suricata actually logs only properly terminated connections in terms of http (FA received, proper tcp teardown).</div>
<div> </div>
<div>Thanks<br></div>
<div class="gmail_quote">On Fri, Mar 30, 2012 at 4:35 PM, Peter Bates <span dir="ltr"><<a href="mailto:peter.bates@ucl.ac.uk">peter.bates@ucl.ac.uk</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">
<div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br><br></div>Hello all<br>
<div class="im"><br>On 30/03/2012 14:12, Peter Manev wrote:<br>> Is there any way that you could compare the two logs by the ways<br>> of scripting/bashing ? - if Suri and httpry are running at the same<br>> time (maybe just 10 min time span)?<br>
<br></div>Running both for ten minutes (both sniffing from eth1):<br>- -rw-r-----. 1 snort snort 2.0M Mar 30 14:30 http.log.10mins<br>- -rw-r--r--. 1 httpry httpry 268M Mar 30 14:30 httpry.log.10mins<br><br>Httpry is only compiled with libpcap and I was running Suricata with<br>
AFPACKET so I tried a test for 10 seconds with both using pcap:<br><br>- -rw-r--r--. 1 root root 2.1M Mar 30 14:39 httpry.log<br>- -rw-r-----. 1 snort snort 590K Mar 30 14:35 http.log<br><br>Httpry by default also logs the server responses on a seperate line,<br>
but I've removed those and still see the difference above.<br><br>Taking an arbitrary host from the log, '<a href="http://grooveshark.com/" target="_blank">grooveshark.com</a>':<br>http.log:<br><br>03/30/2012-15:16:00.459591 /more.php?getStreamKeyFromSongIDEx<br>
03/30/2012-15:16:00.716673 /more.php?albumGetAllSongs<br>03/30/2012-15:16:00.749612 /more.php?markSongDownloadedEx<br>03/30/2012-15:16:00.801473 /more.php?getArtistByID<br>03/30/2012-15:16:01.024251 /more.php?getAlbumRecentListeners<br>
03/30/2012-15:16:01.889693 /more.php?getArtistProfileFeed<br>03/30/2012-15:16:01.995698 /more.php?artistGetAllSongs<br>03/30/2012-15:16:06.547887 /more.php?addSongsToQueue<br>03/30/2012-15:16:18.436115<br>/dfpAds.html?p=artist_profile&w=728&h=90&2=865&3=4331&4=42&5=0&9=0&11=592&15=42&18=30&19=0&0=1<br>
03/30/2012-15:16:18.873468 /more.php?addSongsToQueue<br>03/30/2012-15:16:21.134086<br>/dfpAds.html?p=artist_profile&w=300&h=250&2=865&3=4315&4=41&5=0&9=0&11=592&15=41&18=30&19=0&0=1<br>
03/30/2012-15:16:21.134257 /more.php?addSongsToQueue<br>03/30/2012-15:16:21.135646 /more.php?artistGetFans<br><br>httpry.log:<br><br>2012-03-30 15:16:00 POST /more.php?getStreamKeyFromSongIDEx<br>2012-03-30 15:16:00 POST /more.php?getArtistByID<br>
2012-03-30 15:16:00 POST /more.php?albumGetAllSongs<br>2012-03-30 15:16:00 POST /more.php?markSongDownloadedEx<br>2012-03-30 15:16:00 POST /more.php?getAlbumRecentListeners<br>2012-03-30 15:16:01 POST /more.php?getPageNameByIDType<br>
2012-03-30 15:16:01 POST /more.php?getArtistProfileFeed<br>2012-03-30 15:16:01 POST /more.php?artistGetAllSongs<br>2012-03-30 15:16:01 POST /more.php?artistGetSimilarArtists<br>2012-03-30 15:16:01 POST /more.php?getSongkickEventsFromArtists<br>
2012-03-30 15:16:01 GET<br>/dfpAds.html?p=artist_profile&w=300&h=250&2=865&3=4315&4=41&5=0&9=0&11=592&15=41&18=30&19=0&0=1<br>2012-03-30 15:16:02 POST /more.php?artistGetFans<br>
2012-03-30 15:16:02 GET<br>/dfpAds.html?p=artist_profile&w=728&h=90&2=865&3=4315&4=42&5=0&9=0&11=592&15=42&18=30&19=0&0=1<br>2012-03-30 15:16:02 POST /more.php?getArtistRecentListeners<br>
2012-03-30 15:16:04 POST /more.php?addSongsToQueue<br>2012-03-30 15:16:05 POST /more.php?addSongsToQueue<br>2012-03-30 15:16:05 POST /more.php?getStreamKeyFromSongIDEx<br>2012-03-30 15:16:06 POST /more.php?markSongDownloadedEx<br>
2012-03-30 15:16:06 POST /more.php?addSongsToQueue<br>2012-03-30 15:16:07 POST /more.php?addSongsToQueue<br>2012-03-30 15:16:08 POST /more.php?addSongsToQueue<br>2012-03-30 15:16:09 GET<br>/dfpAds.html?p=song_overview&w=300&h=250&2=401367&3=20839&4=193&5=0&9=0&11=592&15=38&18=30&19=0&0=1<br>
2012-03-30 15:16:09 GET<br>/dfpAds.html?p=song_overview&w=728&h=90&2=401367&3=20839&4=193&5=0&9=0&11=592&15=38&18=30&19=0&0=1<br>2012-03-30 15:16:10 POST /more.php?addSongsToQueue<br>
2012-03-30 15:16:17 GET<br>/dfpAds.html?p=artist_profile&w=300&h=250&2=865&3=4331&4=42&5=0&9=0&11=592&15=42&18=30&19=0&0=1<br>2012-03-30 15:16:17 GET<br>/dfpAds.html?p=artist_profile&w=728&h=90&2=865&3=4331&4=42&5=0&9=0&11=592&15=42&18=30&19=0&0=1<br>
<div class="im"><br>- --<br>Peter Bates<br>Senior Computer Security Officer Phone: <a href="tel:%2B44%280%292076792049" value="+442076792049">+44(0)2076792049</a><br>Information Services Division Internal Ext: 32049<br>
University College London<br>London WC1E 6BT<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v2.0.17 (MingW32)<br>Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>
<br></div>iQEcBAEBAgAGBQJPdcSdAAoJELhVoVpEMS6R17AH/3E4Yvs5X00yka73fftD5RAk<br>DrXGILyM5lO0O4t7fQBGt2u4704ECfl3071k4AY9qLew/hl/4UqkTRtOf7OL2lOq<br>nqNKgoSUJD0iNZGv/K1Gi3M0osm4wv73NZd+vo2AUNQtBDduEIVehu0ksVxkl6CL<br>IVPXHwaRgzwRpyV41Z7PseLeJkJdxHKNxpjifqX5gAbGT2HLbjWBZukgK8Y6a+qo<br>
HHOWT1RS6kTtKC2p5umO1PKwQvcv3b4OCntLhTjF1ylhp2x7amnuMQc7X5JGDaR7<br>qIWQkZol5t+DJq1cfucZUSUZ3PpY70gNnUELiiQ+jCPYqxUQEmPqppax4/T/1+o=<br>=jd2v<br>-----END PGP SIGNATURE-----<br><br></blockquote></div><br><br clear="all"><br>
-- <br>
<div>Regards,</div>
<div>Peter Manev</div><br>