[Oisf-users] Logging full sessions and HTTP logs concurrently

Cooper F. Nelson cnelson at ucsd.edu
Wed Sep 18 17:59:49 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm pretty sure the way suricata works internally is that a single alert
will only trigger once per flow.

If you want to record traffic, I'll suggest using tcpdump or tcpflow.

- -Coop

On 9/18/2013 10:19 AM, Duane Howard wrote:
> Hey folks, another strange behavior I'm seeing that I'm wondering about.
> 
> I have a rule like this, which I believe should basically record all
> sessions to IP_I_CARE_ABOUT:
> alert ip $HOME_NET any -> $IP_I_CARE_ABOUT any (msg:"log all traffic";
> tag:session,300,seconds; reference:url,foo.example.com;
> classtype:misc-activity; priority:2; sid:9000001; rev:1;)
> 
> I also have http logging enabled.
> It seems like when this rule fires I get the SYN/SYN-ACK/ACK, but do not
> get any further traffic when the traffic is HTTP, I do however get
> corresponding HTTP text logs written to my http.log file.
> 
> Is this working as intended? I assumed that I would get the full capture as
> well as the plaintext log of the HTTP traffic.
> 
> Thanks,
> /.d
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSOeoVAAoJEKIFRYQsa8FWDlgH/jCi9k2mC4xkY4HkMvj0WFg2
p/ffB1Z+VNhhNfMqoBUr90L8EMf9wqOwsP/bLG2ATsf7ty8fj5fwh9sF1pifUqkm
8opjxlPKJxCrPqVfmmKCpXRAujJ2dgCCTJfPxZ8NZL8mH4ZbmYlWNXGElUDA4OQd
vag+cyg9kih/FpEfPH0ZQiS53vsOojROjfG5pB/eCy9hp926SjFMXf1cNwHK9tok
ZuQqvzhT9hj1947E9MHTBLByqdVCHgFFCuV9zVNz1MJkXtKZstFt4F2W0/yV6oEZ
q63syPz8vQCqKKwjYWJIfhyeX8lJTLyrADdz16RQaBRSsmWqGKi8zIJq89lVCX8=
=OvfT
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list