[Oisf-devel] http log entry number is more than the number of ab

I. Sanchez sanchezmartin.ji at gmail.com
Tue Jul 10 16:32:31 UTC 2012


Hi,

You mention that the output of uds.py is:
.....
NO.200012
NO.200013
NO.200014
NO.200015

If I understand correctly... this means that the python script received
200015 HTTP requests, the same number logged by suricata, right?

So, probably ab sent them. You could record all the packets with tcpdump -i
eth0 -n -s0 -w trace.pcap tcp and then use ngrep to count them.

Regards,

On Tue, Jul 10, 2012 at 3:41 PM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:

> On Tue, Jul 10, 2012 at 7:06 PM, Victor Julien <victor at inliniac.net>
> wrote:
> > On 07/10/2012 07:08 AM, Delta Yeh wrote:
> >>  Hi,
> >>  In my test, I see the number of request logged is more than the number
> of ab.
> >> The topo is :
> >>  ab ---- bridge(suricata,debian6) --- www
> >>  I use ab -c 4 -n 200000 http://192.168.35.111:8079/ to generate http
> requests.
> >>
> >>  It is expected to get 200000 http log entry but I get 200015.
> >> I don't know wether ab send the additional 15 requests or  someting
> >> wrong with suricata?
> >>
> >>  The http log config is:
> >>      - http-log:
> >>       enabled: yes
> >>       filename: /tmp/accesslog
> >>       extended: yes
> >>       append: yes
> >>       filetype: unix_dgram
> >
> > Can you test with the regular http.log file output? Make it overwrite
> > (append: no) and do a wc -l http.log after the test. Rules out errors in
> > the unix_dgram connection.
> >
> > Also, are you sure you're not seeing some other requests that the host
> > makes?
> >
> > Cheers,
> > Victor
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> >
> >
> > _______________________________________________
> > Oisf-devel mailing list
> > Oisf-devel at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
> To add to it, how many requests does the engine show at shutdown(on
> the console)?
>
> --
> Anoop Saldanha
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120710/0354bb9a/attachment-0002.html>


More information about the Oisf-devel mailing list