[Oisf-users] http.log <hostname unknown>
Victor Julien
victor at inliniac.net
Thu Apr 5 08:30:42 UTC 2012
On 04/05/2012 10:26 AM, Geert Alberghs wrote:
> Hello,
>
> While checking the suricata http.log I noticed that every time a url
> contains a hostname followed by a port number, a <hostname unknown>
> message appears. Could this be a parsing problem? (probably due to ":"
> between hostname and portnumber)
>
> examples:
>
> 04/05/2012-09:54:36.796167 <hostname unknown> [**]
> search.twitter.com:443 <http://search.twitter.com:443> [**] Mozilla/5.0
> (Windows NT 6.1) AppleWebKit/534.34 (KHTML, like Gecko) TweetDeck
> Safari/534.34 [**] 10.0.1.27:50746 <http://10.0.1.27:50746> ->
> 10.0.1.254:8080 <http://10.0.1.254:8080>
>
> 04/05/2012-09:54:37.206330 <hostname unknown> [**] I\x00H}\xE2\xD6Q2\xE8
> [**] <useragent unknown> [**] 10.0.1.62:62326 <http://10.0.1.62:62326>
> -> 10.0.1.254:8080 <http://10.0.1.254:8080>
>
> 04/05/2012-09:54:37.206330 <hostname unknown> [**] [**] <useragent
> unknown> [**] 10.0.1.62:62326 <http://10.0.1.62:62326> ->
> 10.0.1.254:8080 <http://10.0.1.254:8080>
The hostname field is taken from the Host header, so most likely the
requests don't have a Host header.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list