[Oisf-users] Empty http.log file
Victor Julien
victor at inliniac.net
Tue Jul 10 09:47:59 EDT 2012
On 07/09/2012 04:23 PM, kay wrote:
> Yes, it is.
Can you share a record from your stats.log?
A record like here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Statistics
Cheers,
Victor
> 2012/7/9 Victor Julien <victor at inliniac.net>:
>> On 07/09/2012 04:17 PM, kay wrote:
>>> Does anyone have any clue why http.log empty when suricata runs in NFQ
>>> "repeat" mode?
>>
>> Does it work properly if you're using the normal accept/drop nfq mode?
>>
>> Cheers,
>> Victor
>>
>>> 2012/7/9 kay <kay.diam at gmail.com>:
>>>> I'm quite not understand what you mean... I copy-pasted these rules
>>>> from iptables-save:
>>>> # Generated by iptables-save v1.4.7 on Mon Jul 9 15:48:00 2012
>>>> *filter
>>>> :INPUT ACCEPT [4264:1708762]
>>>> :FORWARD ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [1949:515483]
>>>> -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j NFQUEUE
>>>> --queue-num 0
>>>> -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
>>>> -A OUTPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --sport 80 -j NFQUEUE
>>>> --queue-num 0
>>>> -A OUTPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --sport 80 -j ACCEPT
>>>> COMMIT
>>>> # Completed on Mon Jul 9 15:48:00 2012
>>>>
>>>> I run suricata in NFQ "repeat" mode with "-q 0" option.
>>>>
>>>> For some reason "accept" mode writes logs, but I need to use "mark"
>>>> functionality. Actually I cannot reach even "mark packets"
>>>> functionality in "repeat" mode too. That is why I created "--mark
>>>> 0x1/0x1 -m tcp --dport 80 -j ACCEPT" firewall rules for iptables
>>>> counter.
>>>>
>>>> Here is my rule:
>>>>
>>>> pass tcp any any -> any any (content: "TEST"; msg: "TEST string
>>>> test!"; nfq_set_mark:0x01/0x01; sid:2455;)
>>>>
>>>> 2012/7/9 Victor Julien <victor at inliniac.net>:
>>>>> On 07/09/2012 01:39 PM, kay wrote:
>>>>>> Here are iptables rules:
>>>>>>
>>>>>> -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j NFQUEUE
>>>>>> --queue-num 0
>>>>>> -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
>>>>>> -A OUTPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --sport 80 -j NFQUEUE
>>>>>> --queue-num 0
>>>>>> -A OUTPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --sport 80 -j ACCEPT
>>>>>
>>>>> Are these in the (default) filter table?
>>>>>
>>>>> --
>>>>> ---------------------------------------------
>>>>> Victor Julien
>>>>> http://www.inliniac.net/
>>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>>> ---------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Oisf-users mailing list
>>>>> Oisf-users at openinfosecfoundation.org
>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list