[Oisf-users] Suricata's http-log

Peter Bates peter.bates at ucl.ac.uk
Fri Mar 30 14:35:09 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 30/03/2012 14:12, Peter Manev wrote:
> Is there any way that you could compare the two logs by the ways
> of scripting/bashing ? - if Suri and httpry are running at the same
> time (maybe just 10 min time span)?

Running both for ten minutes (both sniffing from eth1):
- -rw-r-----. 1 snort  snort  2.0M Mar 30 14:30 http.log.10mins
- -rw-r--r--. 1 httpry httpry 268M Mar 30 14:30 httpry.log.10mins

Httpry is only compiled with libpcap and I was running Suricata with
AFPACKET so I tried a test for 10 seconds with both using pcap:

- -rw-r--r--. 1 root   root   2.1M Mar 30 14:39 httpry.log
- -rw-r-----. 1 snort  snort  590K Mar 30 14:35 http.log

Httpry by default also logs the server responses on a seperate line,
but I've removed those and still see the difference above.

Taking an arbitrary host from the log, 'grooveshark.com':
http.log:

03/30/2012-15:16:00.459591 /more.php?getStreamKeyFromSongIDEx
03/30/2012-15:16:00.716673 /more.php?albumGetAllSongs
03/30/2012-15:16:00.749612 /more.php?markSongDownloadedEx
03/30/2012-15:16:00.801473 /more.php?getArtistByID
03/30/2012-15:16:01.024251 /more.php?getAlbumRecentListeners
03/30/2012-15:16:01.889693 /more.php?getArtistProfileFeed
03/30/2012-15:16:01.995698 /more.php?artistGetAllSongs
03/30/2012-15:16:06.547887 /more.php?addSongsToQueue
03/30/2012-15:16:18.436115
/dfpAds.html?p=artist_profile&w=728&h=90&2=865&3=4331&4=42&5=0&9=0&11=592&15=42&18=30&19=0&0=1
03/30/2012-15:16:18.873468 /more.php?addSongsToQueue
03/30/2012-15:16:21.134086
/dfpAds.html?p=artist_profile&w=300&h=250&2=865&3=4315&4=41&5=0&9=0&11=592&15=41&18=30&19=0&0=1
03/30/2012-15:16:21.134257 /more.php?addSongsToQueue
03/30/2012-15:16:21.135646 /more.php?artistGetFans

httpry.log:

2012-03-30 15:16:00 POST /more.php?getStreamKeyFromSongIDEx
2012-03-30 15:16:00 POST /more.php?getArtistByID
2012-03-30 15:16:00 POST /more.php?albumGetAllSongs
2012-03-30 15:16:00 POST /more.php?markSongDownloadedEx
2012-03-30 15:16:00 POST /more.php?getAlbumRecentListeners
2012-03-30 15:16:01 POST /more.php?getPageNameByIDType
2012-03-30 15:16:01 POST /more.php?getArtistProfileFeed
2012-03-30 15:16:01 POST /more.php?artistGetAllSongs
2012-03-30 15:16:01 POST /more.php?artistGetSimilarArtists
2012-03-30 15:16:01 POST /more.php?getSongkickEventsFromArtists
2012-03-30 15:16:01 GET
/dfpAds.html?p=artist_profile&w=300&h=250&2=865&3=4315&4=41&5=0&9=0&11=592&15=41&18=30&19=0&0=1
2012-03-30 15:16:02 POST /more.php?artistGetFans
2012-03-30 15:16:02 GET
/dfpAds.html?p=artist_profile&w=728&h=90&2=865&3=4315&4=42&5=0&9=0&11=592&15=42&18=30&19=0&0=1
2012-03-30 15:16:02 POST /more.php?getArtistRecentListeners
2012-03-30 15:16:04 POST /more.php?addSongsToQueue
2012-03-30 15:16:05 POST /more.php?addSongsToQueue
2012-03-30 15:16:05 POST /more.php?getStreamKeyFromSongIDEx
2012-03-30 15:16:06 POST /more.php?markSongDownloadedEx
2012-03-30 15:16:06 POST /more.php?addSongsToQueue
2012-03-30 15:16:07 POST /more.php?addSongsToQueue
2012-03-30 15:16:08 POST /more.php?addSongsToQueue
2012-03-30 15:16:09 GET
/dfpAds.html?p=song_overview&w=300&h=250&2=401367&3=20839&4=193&5=0&9=0&11=592&15=38&18=30&19=0&0=1
2012-03-30 15:16:09 GET
/dfpAds.html?p=song_overview&w=728&h=90&2=401367&3=20839&4=193&5=0&9=0&11=592&15=38&18=30&19=0&0=1
2012-03-30 15:16:10 POST /more.php?addSongsToQueue
2012-03-30 15:16:17 GET
/dfpAds.html?p=artist_profile&w=300&h=250&2=865&3=4331&4=42&5=0&9=0&11=592&15=42&18=30&19=0&0=1
2012-03-30 15:16:17 GET
/dfpAds.html?p=artist_profile&w=728&h=90&2=865&3=4331&4=42&5=0&9=0&11=592&15=42&18=30&19=0&0=1

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPdcSdAAoJELhVoVpEMS6R17AH/3E4Yvs5X00yka73fftD5RAk
DrXGILyM5lO0O4t7fQBGt2u4704ECfl3071k4AY9qLew/hl/4UqkTRtOf7OL2lOq
nqNKgoSUJD0iNZGv/K1Gi3M0osm4wv73NZd+vo2AUNQtBDduEIVehu0ksVxkl6CL
IVPXHwaRgzwRpyV41Z7PseLeJkJdxHKNxpjifqX5gAbGT2HLbjWBZukgK8Y6a+qo
HHOWT1RS6kTtKC2p5umO1PKwQvcv3b4OCntLhTjF1ylhp2x7amnuMQc7X5JGDaR7
qIWQkZol5t+DJq1cfucZUSUZ3PpY70gNnUELiiQ+jCPYqxUQEmPqppax4/T/1+o=
=jd2v
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list