[Oisf-users] Suricata's http-log

Martin Holste mcholste at gmail.com
Fri Mar 30 16:41:16 UTC 2012


Ok, cool.  Looks like we'll need Peter to re-run his tests on the new
code next week then!

On Fri, Mar 30, 2012 at 10:55 AM, Victor Julien <victor at inliniac.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/30/2012 05:49 PM, Martin Holste wrote:
>> This is what I was afraid of.  It sounds to me like Suricata can't
>> keep up logging at medium to high volumes.
>
> Btw, we identified a scalability issue wrt http logging. Fix should be
> in git sometime next week:
>
> https://redmine.openinfosecfoundation.org/issues/438
>
> Cheers,
> Victor
>
>> On Fri, Mar 30, 2012 at 10:30 AM, Peter Bates
>> <peter.bates at ucl.ac.uk> wrote:
>>
>> Hello all
>>
>> On 30/03/2012 16:05, Martin Holste wrote:
>>>>> Please use wc -l to count lines instead of file sizes when
>>>>> comparing.
>>
>> Running httpry and Suricata with a BPF of a known host and
>> generating various GET requests seems to elicit identical logs
>> (when eliminating the fact that httpry logs the response as Martin
>> noted so the log is double the size).
>>
>> I'll dig a bit more - there is obviously a bit of a difference
>> between testing against one destination from one source and the
>> traffic I usually see.
>>
>>>
>>> _______________________________________________ Oisf-users
>>> mailing list Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>>
> _______________________________________________
>> Oisf-users mailing list Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
> - --
> - ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> - ---------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk9113EACgkQiSMBBAuniMci+ACfRUgOyXcf0qmangDHv586ibeV
> PwkAn17Mcri1nZx6Y/qaJeexUsSTndUK
> =4tiC
> -----END PGP SIGNATURE-----
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



More information about the Oisf-users mailing list