<div dir="ltr">Anoop and everybody, thanks! Looks helpful!<div><div><br></div><div><br><div><div><br></div></div></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014/1/13 Anoop Saldanha <span dir="ltr"><<a href="mailto:anoopsaldanha@gmail.com" target="_blank">anoopsaldanha@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Nikita,<br>
<br>
To add to what others have said, have a look at debuglog as well,<br>
which logs other details such as the transaction id that triggered the<br>
rule alert. The tx_id should help you single out the http transaction<br>
from http.log that caused the alert.<br>
<div class="HOEnZb"><div class="h5"><br>
On Sun, Jan 12, 2014 at 8:13 PM, Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>> wrote:<br>
> We are experimenting with correlation between the fast.log and http.log with some success. We are storing the information from those two logs into database tables and have written queries that attempt to find relationship between the two logs. The difficult part is fine tuning the query to find exactly that moment in time where the data from fast.log and http.log intersect. It is not an impossible task but just takes some work fine-tuning.<br>
><br>
> -----Original Message-----<br>
> From: <a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a> [mailto:<a href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org">oisf-users-bounces@lists.openinfosecfoundation.org</a>] On Behalf Of Peter Manev<br>
> Sent: Sunday, January 12, 2014 4:25 AM<br>
> To: Nikita Kislitsin<br>
> Cc: <a href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a><br>
> Subject: Re: [Oisf-users] http.log + rules meta information<br>
><br>
> On Sat, Jan 11, 2014 at 10:17 PM, Nikita Kislitsin <<a href="mailto:kislitsin@group-ib.ru">kislitsin@group-ib.ru</a>> wrote:<br>
>><br>
>> Thanks!<br>
>><br>
>> I need to search in http requests and write a log that includes all the details about matching sessions - src/dst ip:port, matched rule msg, domain, URI and method of HTTP-request.<br>
>><br>
>> Looks like Suricata can't do that from the box, right?<br>
>><br>
>><br>
><br>
><br>
> Not right of the box.<br>
> It still looks to me that you need to correlate data - but you would like all the information about that specific session to be written in one specific log, correct?<br>
><br>
> Just to point out entries in the http.log are not directly related to those in the fast.log(alert). In other words - http.log logs all the http requests Suriacta sees, regardless of the fact if alerts are triggered or not.<br>
><br>
> Suricata also can log DNS,TLS,Files detailed logs (besides alert and<br>
> http) - fyi.<br>
><br>
><br>
><br>
> thanks<br>
><br>
><br>
><br>
> --<br>
> Regards,<br>
> Peter Manev<br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
-------------------------------<br>
Anoop Saldanha<br>
<a href="http://www.poona.me" target="_blank">http://www.poona.me</a><br>
-------------------------------<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div style="font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><table style="font-size:medium;font-family:Times">
<tbody><tr><td style="text-align:center;padding-right:10px;width:160px"><img src="http://www.group-ib.ru/i/gib_logo.png" width="143" height="59" alt="Group-IB"><br><font style="font-weight:bold;font-size:10px;font-family:sans-serif;line-height:24px">Global Cyber Security Company</font><br>
<a href="http://www.facebook.com/GroupIB" style="color:rgb(17,85,204)" target="_blank"><img src="http://www.group-ib.ru/i/facebook.png" width="34" height="34"></a> <a href="http://twitter.com/groupib" style="color:rgb(17,85,204)" target="_blank"><img src="http://www.group-ib.ru/i/twitter.png" width="34" height="34"></a> <a href="http://www.linkedin.com/groups/GroupIB-Cybercrime-Cyberterrorism-4390171" style="color:rgb(17,85,204)" target="_blank"><img src="http://www.group-ib.ru/i/linkedin.png" width="34" height="34"></a> <a href="http://www.youtube.com/user/GroupIB" style="color:rgb(17,85,204)" target="_blank"><img src="http://www.group-ib.ru/i/youtube.png" width="34" height="34"></a></td>
<td><font color="#000000" style="font-family:sans-serif;font-size:12px"><span style="font-size:16px;font-weight:bold;font-family:arial,sans-serif">Nikita Kislitsin</span><br></font><div style="font-family:sans-serif;font-size:12px">
<span style="color:rgb(0,0,0)">Head of Botnet Monitoring Project</span><font color="#000000"><br></font></div><font style="font-family:sans-serif;font-size:12px;font-weight:bold" color="#000000">Group-IB</font><br><font face="sans-serif"><span style="font-size:12.222222328186035px">+7 (495) </span><span style="font-size:12px">984-33-64</span><span style="font-size:12.222222328186035px"> ext. 137</span></font><br>
<font face="sans-serif"><span style="font-size:12px"><u></u>+7 (903) 791-65-28<u></u></span></font><br><a href="mailto:kislitsin@group-ib.com" style="font-family:sans-serif;font-size:12px;color:rgb(17,85,204)" target="_blank">kislitsin@group-ib.com</a><br>
<a href="http://www.group-ib.com/" style="font-family:sans-serif;font-size:12px;color:rgb(17,85,204)" target="_blank">www.group-ib.com</a><font face="sans-serif"><span style="font-size:12px"> </span></font></td></tr></tbody></table>
</div><div style="font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><br></div><span style="font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><font><div></div></font></span></div>
</div>