[Oisf-users] Suricata 1.4 http.log only shows request coming from client?
Peter Manev
petermanev at gmail.com
Sat Feb 9 19:07:33 UTC 2013
On Fri, Feb 8, 2013 at 7:43 PM, Vincent Fang <vincent.y.fang at gmail.com>wrote:
> I'm examining the http.log and the configuration in the suricata.yaml and
> I'm noticing it's only showing requests coming from the client side but no
> http responses from the server being requested or http requests from
> external to my internal network. Is there a configuration setting that
> changes this?
>
> I'm using a custom logging format where it shows the source ip and source
> port -> destination ip destination port like so for http-log in the
> suricata.yaml:
>
>
> customformat: %a %p -> %A %P
>
>
> Vince
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
Hi Vince,
works fine for me....:
192.168.1.131 40285 -> 8.27.131.126 80
> 192.168.1.131 37783 -> 157.166.255.115 80
> 192.168.1.131 40286 -> 8.27.131.126 80
> 192.168.1.131 60343 -> 70.33.205.133 80
> 192.168.1.131 43553 -> 209.84.11.254 80
> 192.168.1.131 43529 -> 209.84.11.254 80
> 192.168.1.131 43532 -> 209.84.11.254 80
> 192.168.1.131 60342 -> 70.33.205.133 80
> 192.168.1.131 42182 -> 66.235.142.3 80
> 192.168.1.131 56043 -> 138.108.6.20 80
>
....
> 192.168.1.71 16319 -> 192.168.1.131 80
> 192.168.1.71 16319 -> 192.168.1.131 80
>
this is my config line:
> - http-log:
> enabled: yes
> filename: http.log
> append: yes
> #extended: yes # enable this for extended logging information
> #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
> custom: yes
> customformat: "%a %p -> %A %P"
>
Suricata 1.4
But then again .. i am not sure what your set up exactly is (network wise).
Are all the log lines with http requests " out -> in " are missing ? and is
it just them that are missing?
Thanks
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130209/bf0a47f6/attachment-0002.html>
More information about the Oisf-users
mailing list