<div dir="ltr">Downside is "yet another service" on my many sensors, which I was hoping to avoid. I'm assuming there's no flag to tell Suricata to log to http.log and a u2 file?</div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Wed, Sep 18, 2013 at 11:13 AM, Eoin Miller <span dir="ltr"><<a href="mailto:eoin.miller@trojanedbinaries.com" target="_blank">eoin.miller@trojanedbinaries.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 9/18/2013 17:19, Duane Howard wrote:<br>
> Hey folks, another strange behavior I'm seeing that I'm wondering about.<br>
><br>
> I have a rule like this, which I believe should basically record all<br>
> sessions to IP_I_CARE_ABOUT:<br>
> alert ip $HOME_NET any -> $IP_I_CARE_ABOUT any (msg:"log all traffic";<br>
> tag:session,300,seconds; reference:url,<a href="http://foo.example.com" target="_blank">foo.example.com</a><br>
</div>> <<a href="http://foo.example.com" target="_blank">http://foo.example.com</a>>; classtype:misc-activity; priority:2;<br>
<div class="im">> sid:9000001; rev:1;)<br>
><br>
> I also have http logging enabled.<br>
> It seems like when this rule fires I get the SYN/SYN-ACK/ACK, but do not<br>
> get any further traffic when the traffic is HTTP, I do however get<br>
> corresponding HTTP text logs written to my http.log file.<br>
><br>
> Is this working as intended? I assumed that I would get the full capture<br>
> as well as the plaintext log of the HTTP traffic.<br>
><br>
> Thanks,<br>
> /.d<br>
<br>
</div>You should take a look at Moloch.<br>
<br>
<a href="http://molo.ch" target="_blank">http://molo.ch</a><br>
<a href="http://github.com/aol/moloch" target="_blank">http://github.com/aol/moloch</a><br>
<span class="HOEnZb"><font color="#888888"><br>
-- Eoin<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br></div>