[Oisf-devel] suricata fail to produce http log after copy to another host

Victor Julien victor at inliniac.net
Wed Sep 7 14:22:05 UTC 2011 

Maybe the host uses checksum offloading?

You might want to try to disable:

stream:
  checksum_validation: no

See
https://redmine.openinfosecfoundation.org/issues/311

Cheers,
Victor

On 09/07/2011 04:06 PM, Delta Yeh wrote:
> I test pcap live mode with cmd " ./suricata -c
> /etc/suricata/suricata.yaml -i eth0 "
> 
> 
>  I use apache ab  in the same box(in both squeeze boxes) with suricata
> to test http log.
> 
> I run tcpdump  on the same interface, and there is http traffic.
> I also use wget to confirm that the http request is successful.
> 
> According to the suricata stats.log , it did handle some tcp traffic, but
> there is no http log.
> 
> I set debug level to info and enable console output, there is no
> error/warning outputs.
> 
> BTW, there is no IDS rule loaded for all the tests, so only test http
> log feature.
> 
> In the debian squeeze box A where suricata is compiled from source,
> everything is OK,
> but no http log in  debian squeeze box B.
> I copied some necessary library from A to B to make suricata run
> sucessfully in B.
> 
> 2011/9/7 rmkml <rmkml at yahoo.fr>:
>> Hi Delta,
>> Can you explain little bit more?
>> Maybe it's a network level pb? (not suricata)
>> If you sniff traffic with tcpdump like, do you look packets?
>> Cpu usage by Suricata in new box are not zero usage?
>> What is your suricata cmd line? output?
>> Regards
>> Rmkml
>>
>>
>> On Wed, 7 Sep 2011, Delta Yeh wrote:
>>
>>> Hi,
>>>  I compiled suricata (git HEAD) in one debian squeeze box, it can log
>>> http as expected.
>>> But if I copy suricata and the
>>> libraries(libhtp,libcap-ng,libnet,libyaml) to a new squeeze box,
>>> there is no http log any more.
>>> The config is the same.
>>>  Does anyone run into this before?
>>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list