[Oisf-users] Logging full sessions and HTTP logs concurrently

Victor Julien lists at inliniac.net
Thu Oct 10 11:40:31 UTC 2013

On 10/10/2013 09:33 AM, Victor Julien wrote:
> On 09/27/2013 07:06 PM, Duane Howard wrote:
>> FWIW I'm still not getting the payload information for these rule after
>> rolling out 1.4.6 to my sensors. Still only getting TCP flags
>> SYN/SYN,ACK/ACK, FIN, etc. and TCP options. But no TCP payload data in
>> the packet. We are still however getting HTTP content in the http.log
>> file. Any ideas? Things I can do to provide more info, something I might
>> have misconfigured?
> Right, it appears that the "session" tagging isn't functioning
> correctly. If you use "host" it works fine here, also with your rule.
> Looking into it.

Found the issue. It's actually a silly bug. Fixing it is easy:

diff --git a/src/detect-tag.c b/src/detect-tag.c
index 9d7d859..a6d51a0 100644
--- a/src/detect-tag.c
+++ b/src/detect-tag.c
@@ -137,7 +137,7 @@ int DetectTagMatch (ThreadVars *t,
DetectEngineThreadCtx *det_ctx, Packet *p, Si
                 /* If it already exists it will be updated */
                 tde.sid = s->id;
                 tde.gid = s->gid;
-                tde.last_ts = tde.first_ts = p->ts.tv_usec;
+                tde.last_ts = tde.first_ts = p->ts.tv_sec;
                 tde.metric = td->metric;
                 tde.count = td->count;

This fix will go into 1.4.7 and 2.0beta2, but is already available in
the master-1.4.x and master branches.

A work around is to use bytes or packets:

So instead of:

alert ip any any -> $IP any (msg:"log all traffic";
tag:session,300,seconds; sid:9; rev:1;)


alert ip any any -> $IP any (msg:"log all traffic";
tag:session,300,packets; sid:9; rev:1;)

You may want to change the value of 300 to something higher to be sure
to catch most of a session.


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list