[Oisf-devel] http log entry number is more than the number of ab

Delta Yeh delta.yeh at gmail.com
Wed Jul 11 03:46:20 UTC 2012 

Sometimes  suricta will lost about 100-200 http request if I send
200,000 requests with ab.
This is the first time  that I observed the request number is more than ab sent.
Maybe the addtional requests is generated by suricata box  itself,
such as live update query.
I will following your suggestion to find out the truth, thanks.



2012/7/11 I. Sanchez <sanchezmartin.ji at gmail.com>:
> Hi,
>
> You mention that the output of uds.py is:
>
> .....
> NO.200012
> NO.200013
> NO.200014
> NO.200015
>
> If I understand correctly... this means that the python script received
> 200015 HTTP requests, the same number logged by suricata, right?
>
> So, probably ab sent them. You could record all the packets with tcpdump -i
> eth0 -n -s0 -w trace.pcap tcp and then use ngrep to count them.
>
> Regards,
>
>
> On Tue, Jul 10, 2012 at 3:41 PM, Anoop Saldanha <anoopsaldanha at gmail.com>
> wrote:
>>
>> On Tue, Jul 10, 2012 at 7:06 PM, Victor Julien <victor at inliniac.net>
>> wrote:
>> > On 07/10/2012 07:08 AM, Delta Yeh wrote:
>> >>  Hi,
>> >>  In my test, I see the number of request logged is more than the number
>> >> of ab.
>> >> The topo is :
>> >>  ab ---- bridge(suricata,debian6) --- www
>> >>  I use ab -c 4 -n 200000 http://192.168.35.111:8079/ to generate http
>> >> requests.
>> >>
>> >>  It is expected to get 200000 http log entry but I get 200015.
>> >> I don't know wether ab send the additional 15 requests or  someting
>> >> wrong with suricata?
>> >>
>> >>  The http log config is:
>> >>      - http-log:
>> >>       enabled: yes
>> >>       filename: /tmp/accesslog
>> >>       extended: yes
>> >>       append: yes
>> >>       filetype: unix_dgram
>> >
>> > Can you test with the regular http.log file output? Make it overwrite
>> > (append: no) and do a wc -l http.log after the test. Rules out errors in
>> > the unix_dgram connection.
>> >
>> > Also, are you sure you're not seeing some other requests that the host
>> > makes?
>> >
>> > Cheers,
>> > Victor
>> >
>> > --
>> > ---------------------------------------------
>> > Victor Julien
>> > http://www.inliniac.net/
>> > PGP: http://www.inliniac.net/victorjulien.asc
>> > ---------------------------------------------
>> >
>> >
>> >
>> > _______________________________________________
>> > Oisf-devel mailing list
>> > Oisf-devel at openinfosecfoundation.org
>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>> To add to it, how many requests does the engine show at shutdown(on
>> the console)?
>>
>> --
>> Anoop Saldanha
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

More information about the Oisf-devel mailing list