[Oisf-users] Suricata's http-log
Martin Holste
mcholste at gmail.com
Fri Mar 30 15:28:45 UTC 2012
Ah, along with that, if you have a stream cutoff (as most do), then
requests after that stream cutoff won't get logged. There can be many
HTTP requests on the same stream, so this may be affecting things.
Still, this seems to be quite a disparity, so I'm a bit concerned.
On Fri, Mar 30, 2012 at 10:14 AM, Victor Julien <victor at inliniac.net> wrote:
> Also, since Suri's http engine is stateful packet loss may be a factor
> as well. The "stream.gap" counter is one indication of streams affecting
> packet loss.
>
> On 03/30/2012 05:05 PM, Martin Holste wrote:
>> Please use wc -l to count lines instead of file sizes when comparing.
>>
>> On Fri, Mar 30, 2012 at 9:49 AM, Victor Julien <victor at inliniac.net> wrote:
>>> On 03/30/2012 04:48 PM, Peter Manev wrote:
>>>> Please have in mind that Suricata actually logs only properly terminated
>>>> connections in terms of http (FA received, proper tcp teardown).
>>>
>>> TCP sessions that time out (no RST or FIN sequence) will be logged as well.
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
More information about the Oisf-users
mailing list