[Oisf-users] Logging full sessions and HTTP logs concurrently

Duane Howard duane.security at gmail.com
Tue Oct 15 18:55:05 UTC 2013


Thanks, we'll work around this with the s/seconds/packets fix until 1.4.7
release.


On Thu, Oct 10, 2013 at 4:40 AM, Victor Julien <lists at inliniac.net> wrote:

> On 10/10/2013 09:33 AM, Victor Julien wrote:
> > On 09/27/2013 07:06 PM, Duane Howard wrote:
> >> FWIW I'm still not getting the payload information for these rule after
> >> rolling out 1.4.6 to my sensors. Still only getting TCP flags
> >> SYN/SYN,ACK/ACK, FIN, etc. and TCP options. But no TCP payload data in
> >> the packet. We are still however getting HTTP content in the http.log
> >> file. Any ideas? Things I can do to provide more info, something I might
> >> have misconfigured?
> >
> > Right, it appears that the "session" tagging isn't functioning
> > correctly. If you use "host" it works fine here, also with your rule.
> > Looking into it.
>
> Found the issue. It's actually a silly bug. Fixing it is easy:
>
> diff --git a/src/detect-tag.c b/src/detect-tag.c
> index 9d7d859..a6d51a0 100644
> --- a/src/detect-tag.c
> +++ b/src/detect-tag.c
> @@ -137,7 +137,7 @@ int DetectTagMatch (ThreadVars *t,
> DetectEngineThreadCtx *det_ctx, Packet *p, Si
>                  /* If it already exists it will be updated */
>                  tde.sid = s->id;
>                  tde.gid = s->gid;
> -                tde.last_ts = tde.first_ts = p->ts.tv_usec;
> +                tde.last_ts = tde.first_ts = p->ts.tv_sec;
>                  tde.metric = td->metric;
>                  tde.count = td->count;
>
> This fix will go into 1.4.7 and 2.0beta2, but is already available in
> the master-1.4.x and master branches.
>
>
> A work around is to use bytes or packets:
>
> So instead of:
>
> alert ip any any -> $IP any (msg:"log all traffic";
> tag:session,300,seconds; sid:9; rev:1;)
>
> use:
>
> alert ip any any -> $IP any (msg:"log all traffic";
> tag:session,300,packets; sid:9; rev:1;)
>
> You may want to change the value of 300 to something higher to be sure
> to catch most of a session.
>
> https://redmine.openinfosecfoundation.org/issues/995
> https://redmine.openinfosecfoundation.org/issues/996
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131015/c8158d85/attachment-0002.html>


More information about the Oisf-users mailing list