[Oisf-users] Best approach to monitor http traffic with suricata

Eric Leblond eric at regit.org
Wed Dec 5 10:56:28 UTC 2012


Hi,

On Wed, 2012-12-05 at 10:22 +0000, C. L. Martinez wrote:
> Hi all,
> 
>  I have installed a new suricata sensor using release 1.4rc1 to
> monitor a pool of http servers. I need to monitor only http traffic
> with this sensor (over 35 http ports). In order to control the list of
> these http ports I was planning to use a bpf filter, but I have doubts
> with their syntax.

If you don't have too much bandwidth you can trust HTTP recognition.
Suricata will log the HTTP request even if they are not a standard port.

So I will suggest to run it as it is or to set a bpf filter to only get
traffic from an to HTTP servers.

BR,

> 
> a) First filter:
> 
> "tcp port 80 or tcp port 81 or tcp port 1100 or tcp port 1333 ..." and so on
> 
> b) Second Filter:
> 
> "tcp dst port 80 or tcp dst port 81 or tcp dst port 1100 or tcp dst
> port 1333 ..." and so on
> 
> c) Third filter (only packets that contains data)
> 
> "tcp port 80 or tcp port 81 or tcp port 100 ... and (((ip[2:2] -
> ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" and so on
> 
> or
> 
> "tcp dst port 80 or tcp dst port 81 or tcp dst port 100 ... and
> (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" and so on
> 
> What do you think??
> 
> Thanks.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

-- 
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/




More information about the Oisf-users mailing list