[Oisf-users] Suricata 1.4 http.log only shows request coming from client?

Vincent Fang vincent.y.fang at gmail.com
Sun Feb 10 17:29:43 UTC 2013 

I figured it out later. What initially confused me, and I'll make an update
to the redmine docs to clarify this, was that this was an http log so I
thought I should be seeing all the http requests and http responses from
the outside my internal network. When I examined the http custom logging
page, I realized that there were options you could specify that checked the
http status %s, headers from the http response %{}o, and so forth. So even
though all the source ip addresses I see are from inside my network,
Suricata also keeps track of the http responses to each http requests and
you just have to specify it through the format options to make suricata
display it in the logs on how the server responded.

The fact that I wasn't seeing the http responses in their own separate
lines was what basically confused me.


On Sat, Feb 9, 2013 at 2:07 PM, Peter Manev <petermanev at gmail.com> wrote:

>
>
> On Fri, Feb 8, 2013 at 7:43 PM, Vincent Fang <vincent.y.fang at gmail.com>wrote:
>
>> I'm examining the http.log and the configuration in the suricata.yaml and
>> I'm noticing it's only showing requests coming from the client side but no
>> http responses from the server being requested or http requests from
>> external to my internal network. Is there a configuration setting that
>> changes this?
>>
>> I'm using a custom logging format where it shows the source ip and source
>> port -> destination ip destination port like so for http-log in the
>> suricata.yaml:
>>
>>
>> customformat: %a %p -> %A %P
>>
>>
>> Vince
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
> Hi Vince,
>
> works fine for me....:
>
> 192.168.1.131 40285 -> 8.27.131.126 80
>> 192.168.1.131 37783 -> 157.166.255.115 80
>> 192.168.1.131 40286 -> 8.27.131.126 80
>> 192.168.1.131 60343 -> 70.33.205.133 80
>> 192.168.1.131 43553 -> 209.84.11.254 80
>> 192.168.1.131 43529 -> 209.84.11.254 80
>> 192.168.1.131 43532 -> 209.84.11.254 80
>> 192.168.1.131 60342 -> 70.33.205.133 80
>> 192.168.1.131 42182 -> 66.235.142.3 80
>> 192.168.1.131 56043 -> 138.108.6.20 80
>>
> ....
>
>> 192.168.1.71 16319 -> 192.168.1.131 80
>> 192.168.1.71 16319 -> 192.168.1.131 80
>>
>
>
> this is my config line:
>
>>   - http-log:
>>       enabled: yes
>>       filename: http.log
>>       append: yes
>>       #extended: yes     # enable this for extended logging information
>>       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
>>       custom: yes
>>       customformat: "%a %p -> %A %P"
>>
>
> Suricata 1.4
>
> But then again .. i am not sure what your set up exactly is (network wise).
> Are all the log lines with http requests " out -> in " are missing ? and
> is it just them that are missing?
>
> Thanks
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130210/0c1467ee/attachment-0002.html>

More information about the Oisf-users mailing list