[Oisf-users] Suricata's http-log

Peter Manev petermanev at gmail.com
Fri Mar 30 14:48:00 UTC 2012


Hi,

Is there a chance that you can share a small pcap for this? privately if
you would like - lets say for a smaller amount of time - that would be
possible to be mailed....
Please have in mind that Suricata actually logs only properly terminated
connections in terms of http (FA received, proper tcp teardown).

Thanks
On Fri, Mar 30, 2012 at 4:35 PM, Peter Bates <peter.bates at ucl.ac.uk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> On 30/03/2012 14:12, Peter Manev wrote:
> > Is there any way that you could compare the two logs by the ways
> > of scripting/bashing ? - if Suri and httpry are running at the same
> > time (maybe just 10 min time span)?
>
> Running both for ten minutes (both sniffing from eth1):
> - -rw-r-----. 1 snort  snort  2.0M Mar 30 14:30 http.log.10mins
> - -rw-r--r--. 1 httpry httpry 268M Mar 30 14:30 httpry.log.10mins
>
> Httpry is only compiled with libpcap and I was running Suricata with
> AFPACKET so I tried a test for 10 seconds with both using pcap:
>
> - -rw-r--r--. 1 root   root   2.1M Mar 30 14:39 httpry.log
> - -rw-r-----. 1 snort  snort  590K Mar 30 14:35 http.log
>
> Httpry by default also logs the server responses on a seperate line,
> but I've removed those and still see the difference above.
>
> Taking an arbitrary host from the log, 'grooveshark.com':
> http.log:
>
> 03/30/2012-15:16:00.459591 /more.php?getStreamKeyFromSongIDEx
> 03/30/2012-15:16:00.716673 /more.php?albumGetAllSongs
> 03/30/2012-15:16:00.749612 /more.php?markSongDownloadedEx
> 03/30/2012-15:16:00.801473 /more.php?getArtistByID
> 03/30/2012-15:16:01.024251 /more.php?getAlbumRecentListeners
> 03/30/2012-15:16:01.889693 /more.php?getArtistProfileFeed
> 03/30/2012-15:16:01.995698 /more.php?artistGetAllSongs
> 03/30/2012-15:16:06.547887 /more.php?addSongsToQueue
> 03/30/2012-15:16:18.436115
>
> /dfpAds.html?p=artist_profile&w=728&h=90&2=865&3=4331&4=42&5=0&9=0&11=592&15=42&18=30&19=0&0=1
> 03/30/2012-15:16:18.873468 /more.php?addSongsToQueue
> 03/30/2012-15:16:21.134086
>
> /dfpAds.html?p=artist_profile&w=300&h=250&2=865&3=4315&4=41&5=0&9=0&11=592&15=41&18=30&19=0&0=1
> 03/30/2012-15:16:21.134257 /more.php?addSongsToQueue
> 03/30/2012-15:16:21.135646 /more.php?artistGetFans
>
> httpry.log:
>
> 2012-03-30 15:16:00 POST /more.php?getStreamKeyFromSongIDEx
> 2012-03-30 15:16:00 POST /more.php?getArtistByID
> 2012-03-30 15:16:00 POST /more.php?albumGetAllSongs
> 2012-03-30 15:16:00 POST /more.php?markSongDownloadedEx
> 2012-03-30 15:16:00 POST /more.php?getAlbumRecentListeners
> 2012-03-30 15:16:01 POST /more.php?getPageNameByIDType
> 2012-03-30 15:16:01 POST /more.php?getArtistProfileFeed
> 2012-03-30 15:16:01 POST /more.php?artistGetAllSongs
> 2012-03-30 15:16:01 POST /more.php?artistGetSimilarArtists
> 2012-03-30 15:16:01 POST /more.php?getSongkickEventsFromArtists
> 2012-03-30 15:16:01 GET
>
> /dfpAds.html?p=artist_profile&w=300&h=250&2=865&3=4315&4=41&5=0&9=0&11=592&15=41&18=30&19=0&0=1
> 2012-03-30 15:16:02 POST /more.php?artistGetFans
> 2012-03-30 15:16:02 GET
>
> /dfpAds.html?p=artist_profile&w=728&h=90&2=865&3=4315&4=42&5=0&9=0&11=592&15=42&18=30&19=0&0=1
> 2012-03-30 15:16:02 POST /more.php?getArtistRecentListeners
> 2012-03-30 15:16:04 POST /more.php?addSongsToQueue
> 2012-03-30 15:16:05 POST /more.php?addSongsToQueue
> 2012-03-30 15:16:05 POST /more.php?getStreamKeyFromSongIDEx
> 2012-03-30 15:16:06 POST /more.php?markSongDownloadedEx
> 2012-03-30 15:16:06 POST /more.php?addSongsToQueue
> 2012-03-30 15:16:07 POST /more.php?addSongsToQueue
> 2012-03-30 15:16:08 POST /more.php?addSongsToQueue
> 2012-03-30 15:16:09 GET
>
> /dfpAds.html?p=song_overview&w=300&h=250&2=401367&3=20839&4=193&5=0&9=0&11=592&15=38&18=30&19=0&0=1
> 2012-03-30 15:16:09 GET
>
> /dfpAds.html?p=song_overview&w=728&h=90&2=401367&3=20839&4=193&5=0&9=0&11=592&15=38&18=30&19=0&0=1
> 2012-03-30 15:16:10 POST /more.php?addSongsToQueue
> 2012-03-30 15:16:17 GET
>
> /dfpAds.html?p=artist_profile&w=300&h=250&2=865&3=4331&4=42&5=0&9=0&11=592&15=42&18=30&19=0&0=1
> 2012-03-30 15:16:17 GET
>
> /dfpAds.html?p=artist_profile&w=728&h=90&2=865&3=4331&4=42&5=0&9=0&11=592&15=42&18=30&19=0&0=1
>
> - --
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division       Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJPdcSdAAoJELhVoVpEMS6R17AH/3E4Yvs5X00yka73fftD5RAk
> DrXGILyM5lO0O4t7fQBGt2u4704ECfl3071k4AY9qLew/hl/4UqkTRtOf7OL2lOq
> nqNKgoSUJD0iNZGv/K1Gi3M0osm4wv73NZd+vo2AUNQtBDduEIVehu0ksVxkl6CL
> IVPXHwaRgzwRpyV41Z7PseLeJkJdxHKNxpjifqX5gAbGT2HLbjWBZukgK8Y6a+qo
> HHOWT1RS6kTtKC2p5umO1PKwQvcv3b4OCntLhTjF1ylhp2x7amnuMQc7X5JGDaR7
> qIWQkZol5t+DJq1cfucZUSUZ3PpY70gNnUELiiQ+jCPYqxUQEmPqppax4/T/1+o=
> =jd2v
> -----END PGP SIGNATURE-----
>
>


-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120330/e1d30477/attachment-0002.html>


More information about the Oisf-users mailing list