[Oisf-users] Logging full sessions and HTTP logs concurrently
Victor Julien
lists at inliniac.net
Thu Oct 10 07:33:43 UTC 2013
On 09/27/2013 07:06 PM, Duane Howard wrote:
> FWIW I'm still not getting the payload information for these rule after
> rolling out 1.4.6 to my sensors. Still only getting TCP flags
> SYN/SYN,ACK/ACK, FIN, etc. and TCP options. But no TCP payload data in
> the packet. We are still however getting HTTP content in the http.log
> file. Any ideas? Things I can do to provide more info, something I might
> have misconfigured?
Right, it appears that the "session" tagging isn't functioning
correctly. If you use "host" it works fine here, also with your rule.
Looking into it.
Cheers,
Victor
> On Thu, Sep 19, 2013 at 8:24 AM, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
>
> On 09/19/2013 04:37 PM, Victor Julien wrote:
> > On 09/19/2013 04:31 PM, Duane Howard wrote:
> >> Victor, am I correct in my interpretation of these responses that
> because I
> >> do have "tag:session,300,seconds;" in my rule, this should be
> working, but
> >> Suricata has a bug (tracking at
> >> https://redmine.openinfosecfoundation.org/issues/969) that is
> relevant to
> >> this, and that my lack of packets is *not* due to the HTTP
> logging module
> >> being enabled?
> >
> > Yes. The HTTP logging module is not related to this in any way.
> >
> > If you want to test the fix, please try:
> >
> > https://github.com/inliniac/suricata/pull/557 (if you're willing
> to test
> > the master branch)
> > or:
> > https://github.com/inliniac/suricata/tree/dev-fix-tag-14 (if you're on
> > 1.4.x)
> >
>
> I've pushed both fixes out, so both "master" and "master-1.4.x" have
> it now.
>
> Will be in 1.4.6. Should be out next week.
>
> Cheers,
> Victor
>
> > Cheers,
> > Victor
> >
> >>
> >> ./d
> >>
> >>
> >> On Thu, Sep 19, 2013 at 2:31 AM, Anoop Saldanha
> <anoopsaldanha at gmail.com <mailto:anoopsaldanha at gmail.com>>wrote:
> >>
> >>> On Thu, Sep 19, 2013 at 2:58 PM, Victor Julien
> <lists at inliniac.net <mailto:lists at inliniac.net>> wrote:
> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>> Hash: SHA1
> >>>>
> >>>> On 09/19/2013 11:24 AM, Edward Fjellskål wrote:
> >>>>> I googled, but did not find any docs about it.... saw some hits on
> >>>>> the sourcecode, but did not dig into them.
> >>>>>
> >>>>> This is a great feature to have though, and I guess one can use
> >>>>> this for a fairly good packet capture and might satisfy the
> initial
> >>>>> request?
> >>>>
> >>>> When fixed, this works by pushing the tags into the unified2
> records,
> >>>> so barnyard2 would have to make pcap files out of that. Not
> sure how
> >>>> to configure by2 for that though.
> >>>>
> >>>
> >>> When tagged packets are logged, what will lwe og as the alert sid in
> >>> barnyard hdr, for packets that didn't trigger any alerts?
> >>>
> >>>>> On Thu, Sep 19, 2013 at 9:33 AM, Victor Julien
> <lists at inliniac.net <mailto:lists at inliniac.net>
> >>>>> <mailto:lists at inliniac.net <mailto:lists at inliniac.net>>> wrote:
> >>>>>
> >>>>> On 09/19/2013 09:07 AM, Edward Fjellskål wrote:
> >>>>>> https://redmine.openinfosecfoundation.org/issues/120
> >>>>>
> >>>>>> Snort would be able to do this like:
> >>>>>
> >>>>>> *alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet
> >>>>>> Evil-IP 85.19.221.54 (gamelinux.org <http://gamelinux.org>
> <http://gamelinux.org>
> >>>>> <http://gamelinux.org>)”;
> >>>>>> flags:S; tag:session,1000,bytes,100,seconds,0,packets;
> >>>>>> classtype:trojan-activity; sid:201102011; rev:1;)*
> >>>>>
> >>>>> We support this tagging as well, never really benched it.
> >>>>>
> >>>
> >>>
> >>> --
> >>> -------------------------------
> >>> Anoop Saldanha
> >>> http://www.poona.me
> >>> -------------------------------
> >>> _______________________________________________
> >>> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> >>> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >>> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>> OISF: http://www.openinfosecfoundation.org/
> >>>
> >>
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list