[Oisf-users] Logging full sessions and HTTP logs concurrently

Eoin Miller eoin.miller at trojanedbinaries.com
Wed Sep 18 18:13:43 UTC 2013

On 9/18/2013 17:19, Duane Howard wrote:
> Hey folks, another strange behavior I'm seeing that I'm wondering about.
> I have a rule like this, which I believe should basically record all
> sessions to IP_I_CARE_ABOUT:
> alert ip $HOME_NET any -> $IP_I_CARE_ABOUT any (msg:"log all traffic";
> tag:session,300,seconds; reference:url,foo.example.com
> <http://foo.example.com>; classtype:misc-activity; priority:2;
> sid:9000001; rev:1;)
> I also have http logging enabled.
> It seems like when this rule fires I get the SYN/SYN-ACK/ACK, but do not
> get any further traffic when the traffic is HTTP, I do however get
> corresponding HTTP text logs written to my http.log file.
> Is this working as intended? I assumed that I would get the full capture
> as well as the plaintext log of the HTTP traffic.
> Thanks,
> /.d

You should take a look at Moloch.


-- Eoin

More information about the Oisf-users mailing list