[Oisf-users] Logging full sessions and HTTP logs concurrently

Victor Julien lists at inliniac.net
Thu Oct 10 07:33:43 UTC 2013


On 09/27/2013 07:06 PM, Duane Howard wrote:
> FWIW I'm still not getting the payload information for these rule after
> rolling out 1.4.6 to my sensors. Still only getting TCP flags
> SYN/SYN,ACK/ACK, FIN, etc. and TCP options. But no TCP payload data in
> the packet. We are still however getting HTTP content in the http.log
> file. Any ideas? Things I can do to provide more info, something I might
> have misconfigured?

Right, it appears that the "session" tagging isn't functioning
correctly. If you use "host" it works fine here, also with your rule.
Looking into it.

Cheers,
Victor

> On Thu, Sep 19, 2013 at 8:24 AM, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
> 
>     On 09/19/2013 04:37 PM, Victor Julien wrote:
>     > On 09/19/2013 04:31 PM, Duane Howard wrote:
>     >> Victor, am I correct in my interpretation of these responses that
>     because I
>     >> do have "tag:session,300,seconds;" in my rule, this should be
>     working, but
>     >> Suricata has a bug (tracking at
>     >> https://redmine.openinfosecfoundation.org/issues/969) that is
>     relevant to
>     >> this, and that my lack of packets is *not* due to the HTTP
>     logging module
>     >> being enabled?
>     >
>     > Yes. The HTTP logging module is not related to this in any way.
>     >
>     > If you want to test the fix, please try:
>     >
>     > https://github.com/inliniac/suricata/pull/557 (if you're willing
>     to test
>     > the master branch)
>     > or:
>     > https://github.com/inliniac/suricata/tree/dev-fix-tag-14 (if you're on
>     > 1.4.x)
>     >
> 
>     I've pushed both fixes out, so both "master" and "master-1.4.x" have
>     it now.
> 
>     Will be in 1.4.6. Should be out next week.
> 
>     Cheers,
>     Victor
> 
>     > Cheers,
>     > Victor
>     >
>     >>
>     >> ./d
>     >>
>     >>
>     >> On Thu, Sep 19, 2013 at 2:31 AM, Anoop Saldanha
>     <anoopsaldanha at gmail.com <mailto:anoopsaldanha at gmail.com>>wrote:
>     >>
>     >>> On Thu, Sep 19, 2013 at 2:58 PM, Victor Julien
>     <lists at inliniac.net <mailto:lists at inliniac.net>> wrote:
>     >>>> -----BEGIN PGP SIGNED MESSAGE-----
>     >>>> Hash: SHA1
>     >>>>
>     >>>> On 09/19/2013 11:24 AM, Edward Fjellskål wrote:
>     >>>>> I googled, but did not find any docs about it.... saw some hits on
>     >>>>> the sourcecode, but did not dig into them.
>     >>>>>
>     >>>>> This is a great feature to have though, and I guess one can use
>     >>>>> this for a fairly good packet capture and might satisfy the
>     initial
>     >>>>> request?
>     >>>>
>     >>>> When fixed, this works by pushing the tags into the unified2
>     records,
>     >>>> so barnyard2 would have to make pcap files out of that. Not
>     sure how
>     >>>> to configure by2 for that though.
>     >>>>
>     >>>
>     >>> When tagged packets are logged, what will lwe og as the alert sid in
>     >>> barnyard hdr, for packets that didn't trigger any alerts?
>     >>>
>     >>>>> On Thu, Sep 19, 2013 at 9:33 AM, Victor Julien
>     <lists at inliniac.net <mailto:lists at inliniac.net>
>     >>>>> <mailto:lists at inliniac.net <mailto:lists at inliniac.net>>> wrote:
>     >>>>>
>     >>>>> On 09/19/2013 09:07 AM, Edward Fjellskål wrote:
>     >>>>>> https://redmine.openinfosecfoundation.org/issues/120
>     >>>>>
>     >>>>>> Snort would be able to do this like:
>     >>>>>
>     >>>>>> *alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet
>     >>>>>> Evil-IP 85.19.221.54 (gamelinux.org <http://gamelinux.org>
>     <http://gamelinux.org>
>     >>>>> <http://gamelinux.org>)”;
>     >>>>>> flags:S; tag:session,1000,bytes,100,seconds,0,packets;
>     >>>>>> classtype:trojan-activity; sid:201102011; rev:1;)*
>     >>>>>
>     >>>>> We support this tagging as well, never really benched it.
>     >>>>>
>     >>>
>     >>>
>     >>> --
>     >>> -------------------------------
>     >>> Anoop Saldanha
>     >>> http://www.poona.me
>     >>> -------------------------------
>     >>> _______________________________________________
>     >>> Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     >>> Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     >>> List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     >>> OISF: http://www.openinfosecfoundation.org/
>     >>>
>     >>
>     >
>     >
> 
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
>     _______________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     OISF: http://www.openinfosecfoundation.org/
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list