[Oisf-devel] suricata fail to produce http log after copy to another host
Delta Yeh
delta.yeh at gmail.com
Thu Sep 8 01:29:41 UTC 2011
It works, thanks you.
2011/9/7 Victor Julien <victor at inliniac.net>:
> Maybe the host uses checksum offloading?
>
> You might want to try to disable:
>
> stream:
> checksum_validation: no
>
> See
> https://redmine.openinfosecfoundation.org/issues/311
>
> Cheers,
> Victor
>
> On 09/07/2011 04:06 PM, Delta Yeh wrote:
>> I test pcap live mode with cmd " ./suricata -c
>> /etc/suricata/suricata.yaml -i eth0 "
>>
>>
>> I use apache ab in the same box(in both squeeze boxes) with suricata
>> to test http log.
>>
>> I run tcpdump on the same interface, and there is http traffic.
>> I also use wget to confirm that the http request is successful.
>>
>> According to the suricata stats.log , it did handle some tcp traffic, but
>> there is no http log.
>>
>> I set debug level to info and enable console output, there is no
>> error/warning outputs.
>>
>> BTW, there is no IDS rule loaded for all the tests, so only test http
>> log feature.
>>
>> In the debian squeeze box A where suricata is compiled from source,
>> everything is OK,
>> but no http log in debian squeeze box B.
>> I copied some necessary library from A to B to make suricata run
>> sucessfully in B.
>>
>> 2011/9/7 rmkml <rmkml at yahoo.fr>:
>>> Hi Delta,
>>> Can you explain little bit more?
>>> Maybe it's a network level pb? (not suricata)
>>> If you sniff traffic with tcpdump like, do you look packets?
>>> Cpu usage by Suricata in new box are not zero usage?
>>> What is your suricata cmd line? output?
>>> Regards
>>> Rmkml
>>>
>>>
>>> On Wed, 7 Sep 2011, Delta Yeh wrote:
>>>
>>>> Hi,
>>>> I compiled suricata (git HEAD) in one debian squeeze box, it can log
>>>> http as expected.
>>>> But if I copy suricata and the
>>>> libraries(libhtp,libcap-ng,libnet,libyaml) to a new squeeze box,
>>>> there is no http log any more.
>>>> The config is the same.
>>>> Does anyone run into this before?
>>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
More information about the Oisf-devel
mailing list