[Oisf-users] Logging full sessions and HTTP logs concurrently
Brant Wells
bwells at tfc.edu
Wed Sep 18 18:05:46 UTC 2013
If you are wanting to record ALL the traffic, I would recommend something
like Daemonlogger or OpenFPC, or either Gulp (this is an older program,
source code available at http://staff.washington.edu/corey/gulp/).
If you are wanting to record traffic from a single IP, then Gulp is fairly
simple, just tell it how many files to use as a ring buffer and let it fly.
Daemonlogger is a bit more modern and works fairly well on my server here
(runs on the same server as Suricata).
See Yas!
~Brant
On Wed, Sep 18, 2013 at 1:59 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'm pretty sure the way suricata works internally is that a single alert
> will only trigger once per flow.
>
> If you want to record traffic, I'll suggest using tcpdump or tcpflow.
>
> - -Coop
>
> On 9/18/2013 10:19 AM, Duane Howard wrote:
> > Hey folks, another strange behavior I'm seeing that I'm wondering about.
> >
> > I have a rule like this, which I believe should basically record all
> > sessions to IP_I_CARE_ABOUT:
> > alert ip $HOME_NET any -> $IP_I_CARE_ABOUT any (msg:"log all traffic";
> > tag:session,300,seconds; reference:url,foo.example.com;
> > classtype:misc-activity; priority:2; sid:9000001; rev:1;)
> >
> > I also have http logging enabled.
> > It seems like when this rule fires I get the SYN/SYN-ACK/ACK, but do not
> > get any further traffic when the traffic is HTTP, I do however get
> > corresponding HTTP text logs written to my http.log file.
> >
> > Is this working as intended? I assumed that I would get the full capture
> as
> > well as the plaintext log of the HTTP traffic.
> >
> > Thanks,
> > /.d
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJSOeoVAAoJEKIFRYQsa8FWDlgH/jCi9k2mC4xkY4HkMvj0WFg2
> p/ffB1Z+VNhhNfMqoBUr90L8EMf9wqOwsP/bLG2ATsf7ty8fj5fwh9sF1pifUqkm
> 8opjxlPKJxCrPqVfmmKCpXRAujJ2dgCCTJfPxZ8NZL8mH4ZbmYlWNXGElUDA4OQd
> vag+cyg9kih/FpEfPH0ZQiS53vsOojROjfG5pB/eCy9hp926SjFMXf1cNwHK9tok
> ZuQqvzhT9hj1947E9MHTBLByqdVCHgFFCuV9zVNz1MJkXtKZstFt4F2W0/yV6oEZ
> q63syPz8vQCqKKwjYWJIfhyeX8lJTLyrADdz16RQaBRSsmWqGKi8zIJq89lVCX8=
> =OvfT
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
--
~Brant Wells
Network Administrator
Toccoa Falls College
107 North Chapel Drive Toccoa Falls, GA 30598
706-886-7299 x5414 * bwells at tfc.edu
*
*
*
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130918/3142ca2e/attachment-0002.html>
More information about the Oisf-users
mailing list