[Oisf-users] Suricata 1.4 http.log only shows request coming from client?

Peter Manev petermanev at gmail.com
Sat Feb 9 19:07:33 UTC 2013 

On Fri, Feb 8, 2013 at 7:43 PM, Vincent Fang <vincent.y.fang at gmail.com>wrote:

> I'm examining the http.log and the configuration in the suricata.yaml and
> I'm noticing it's only showing requests coming from the client side but no
> http responses from the server being requested or http requests from
> external to my internal network. Is there a configuration setting that
> changes this?
>
> I'm using a custom logging format where it shows the source ip and source
> port -> destination ip destination port like so for http-log in the
> suricata.yaml:
>
>
> customformat: %a %p -> %A %P
>
>
> Vince
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>

Hi Vince,

works fine for me....:

192.168.1.131 40285 -> 8.27.131.126 80
> 192.168.1.131 37783 -> 157.166.255.115 80
> 192.168.1.131 40286 -> 8.27.131.126 80
> 192.168.1.131 60343 -> 70.33.205.133 80
> 192.168.1.131 43553 -> 209.84.11.254 80
> 192.168.1.131 43529 -> 209.84.11.254 80
> 192.168.1.131 43532 -> 209.84.11.254 80
> 192.168.1.131 60342 -> 70.33.205.133 80
> 192.168.1.131 42182 -> 66.235.142.3 80
> 192.168.1.131 56043 -> 138.108.6.20 80
>
....

> 192.168.1.71 16319 -> 192.168.1.131 80
> 192.168.1.71 16319 -> 192.168.1.131 80
>


this is my config line:

>   - http-log:
>       enabled: yes
>       filename: http.log
>       append: yes
>       #extended: yes     # enable this for extended logging information
>       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
>       custom: yes
>       customformat: "%a %p -> %A %P"
>

Suricata 1.4

But then again .. i am not sure what your set up exactly is (network wise).
Are all the log lines with http requests " out -> in " are missing ? and is
it just them that are missing?

Thanks

-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130209/bf0a47f6/attachment-0002.html>

More information about the Oisf-users mailing list