[Oisf-users] Logging full sessions and HTTP logs concurrently

Duane Howard duane.security at gmail.com
Wed Sep 18 17:19:50 UTC 2013

Hey folks, another strange behavior I'm seeing that I'm wondering about.

I have a rule like this, which I believe should basically record all
sessions to IP_I_CARE_ABOUT:
alert ip $HOME_NET any -> $IP_I_CARE_ABOUT any (msg:"log all traffic";
tag:session,300,seconds; reference:url,foo.example.com;
classtype:misc-activity; priority:2; sid:9000001; rev:1;)

I also have http logging enabled.
It seems like when this rule fires I get the SYN/SYN-ACK/ACK, but do not
get any further traffic when the traffic is HTTP, I do however get
corresponding HTTP text logs written to my http.log file.

Is this working as intended? I assumed that I would get the full capture as
well as the plaintext log of the HTTP traffic.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130918/ca9fee9b/attachment.html>

More information about the Oisf-users mailing list