[Oisf-users] Logging full sessions and HTTP logs concurrently

Duane Howard duane.security at gmail.com
Tue Oct 1 16:05:29 UTC 2013


ping?


On Fri, Sep 27, 2013 at 10:06 AM, Duane Howard <duane.security at gmail.com>wrote:

> FWIW I'm still not getting the payload information for these rule after
> rolling out 1.4.6 to my sensors. Still only getting TCP flags
> SYN/SYN,ACK/ACK, FIN, etc. and TCP options. But no TCP payload data in the
> packet. We are still however getting HTTP content in the http.log file. Any
> ideas? Things I can do to provide more info, something I might have
> misconfigured?
>
>
> On Thu, Sep 19, 2013 at 8:24 AM, Victor Julien <lists at inliniac.net> wrote:
>
>> On 09/19/2013 04:37 PM, Victor Julien wrote:
>> > On 09/19/2013 04:31 PM, Duane Howard wrote:
>> >> Victor, am I correct in my interpretation of these responses that
>> because I
>> >> do have "tag:session,300,seconds;" in my rule, this should be working,
>> but
>> >> Suricata has a bug (tracking at
>> >> https://redmine.openinfosecfoundation.org/issues/969) that is
>> relevant to
>> >> this, and that my lack of packets is *not* due to the HTTP logging
>> module
>> >> being enabled?
>> >
>> > Yes. The HTTP logging module is not related to this in any way.
>> >
>> > If you want to test the fix, please try:
>> >
>> > https://github.com/inliniac/suricata/pull/557 (if you're willing to
>> test
>> > the master branch)
>> > or:
>> > https://github.com/inliniac/suricata/tree/dev-fix-tag-14 (if you're on
>> > 1.4.x)
>> >
>>
>> I've pushed both fixes out, so both "master" and "master-1.4.x" have it
>> now.
>>
>> Will be in 1.4.6. Should be out next week.
>>
>> Cheers,
>> Victor
>>
>> > Cheers,
>> > Victor
>> >
>> >>
>> >> ./d
>> >>
>> >>
>> >> On Thu, Sep 19, 2013 at 2:31 AM, Anoop Saldanha <
>> anoopsaldanha at gmail.com>wrote:
>> >>
>> >>> On Thu, Sep 19, 2013 at 2:58 PM, Victor Julien <lists at inliniac.net>
>> wrote:
>> >>>> -----BEGIN PGP SIGNED MESSAGE-----
>> >>>> Hash: SHA1
>> >>>>
>> >>>> On 09/19/2013 11:24 AM, Edward Fjellskål wrote:
>> >>>>> I googled, but did not find any docs about it.... saw some hits on
>> >>>>> the sourcecode, but did not dig into them.
>> >>>>>
>> >>>>> This is a great feature to have though, and I guess one can use
>> >>>>> this for a fairly good packet capture and might satisfy the initial
>> >>>>> request?
>> >>>>
>> >>>> When fixed, this works by pushing the tags into the unified2 records,
>> >>>> so barnyard2 would have to make pcap files out of that. Not sure how
>> >>>> to configure by2 for that though.
>> >>>>
>> >>>
>> >>> When tagged packets are logged, what will lwe og as the alert sid in
>> >>> barnyard hdr, for packets that didn't trigger any alerts?
>> >>>
>> >>>>> On Thu, Sep 19, 2013 at 9:33 AM, Victor Julien <lists at inliniac.net
>> >>>>> <mailto:lists at inliniac.net>> wrote:
>> >>>>>
>> >>>>> On 09/19/2013 09:07 AM, Edward Fjellskål wrote:
>> >>>>>> https://redmine.openinfosecfoundation.org/issues/120
>> >>>>>
>> >>>>>> Snort would be able to do this like:
>> >>>>>
>> >>>>>> *alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet
>> >>>>>> Evil-IP 85.19.221.54 (gamelinux.org <http://gamelinux.org>
>> >>>>> <http://gamelinux.org>)”;
>> >>>>>> flags:S; tag:session,1000,bytes,100,seconds,0,packets;
>> >>>>>> classtype:trojan-activity; sid:201102011; rev:1;)*
>> >>>>>
>> >>>>> We support this tagging as well, never really benched it.
>> >>>>>
>> >>>
>> >>>
>> >>> --
>> >>> -------------------------------
>> >>> Anoop Saldanha
>> >>> http://www.poona.me
>> >>> -------------------------------
>> >>> _______________________________________________
>> >>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> >>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> >>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >>> OISF: http://www.openinfosecfoundation.org/
>> >>>
>> >>
>> >
>> >
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131001/75de9ec1/attachment.html>


More information about the Oisf-users mailing list