[Oisf-users] Best approach to monitor http traffic with suricata
Eric Leblond
eric at regit.org
Wed Dec 5 10:56:28 UTC 2012
Hi,
On Wed, 2012-12-05 at 10:22 +0000, C. L. Martinez wrote:
> Hi all,
>
> I have installed a new suricata sensor using release 1.4rc1 to
> monitor a pool of http servers. I need to monitor only http traffic
> with this sensor (over 35 http ports). In order to control the list of
> these http ports I was planning to use a bpf filter, but I have doubts
> with their syntax.
If you don't have too much bandwidth you can trust HTTP recognition.
Suricata will log the HTTP request even if they are not a standard port.
So I will suggest to run it as it is or to set a bpf filter to only get
traffic from an to HTTP servers.
BR,
>
> a) First filter:
>
> "tcp port 80 or tcp port 81 or tcp port 1100 or tcp port 1333 ..." and so on
>
> b) Second Filter:
>
> "tcp dst port 80 or tcp dst port 81 or tcp dst port 1100 or tcp dst
> port 1333 ..." and so on
>
> c) Third filter (only packets that contains data)
>
> "tcp port 80 or tcp port 81 or tcp port 100 ... and (((ip[2:2] -
> ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" and so on
>
> or
>
> "tcp dst port 80 or tcp dst port 81 or tcp dst port 100 ... and
> (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" and so on
>
> What do you think??
>
> Thanks.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
--
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/
More information about the Oisf-users
mailing list