[Oisf-users] Logging full sessions and HTTP logs concurrently
Duane Howard
duane.security at gmail.com
Wed Sep 18 19:26:51 UTC 2013
Downside is "yet another service" on my many sensors, which I was hoping to
avoid. I'm assuming there's no flag to tell Suricata to log to http.log and
a u2 file?
On Wed, Sep 18, 2013 at 11:13 AM, Eoin Miller <
eoin.miller at trojanedbinaries.com> wrote:
> On 9/18/2013 17:19, Duane Howard wrote:
> > Hey folks, another strange behavior I'm seeing that I'm wondering about.
> >
> > I have a rule like this, which I believe should basically record all
> > sessions to IP_I_CARE_ABOUT:
> > alert ip $HOME_NET any -> $IP_I_CARE_ABOUT any (msg:"log all traffic";
> > tag:session,300,seconds; reference:url,foo.example.com
> > <http://foo.example.com>; classtype:misc-activity; priority:2;
> > sid:9000001; rev:1;)
> >
> > I also have http logging enabled.
> > It seems like when this rule fires I get the SYN/SYN-ACK/ACK, but do not
> > get any further traffic when the traffic is HTTP, I do however get
> > corresponding HTTP text logs written to my http.log file.
> >
> > Is this working as intended? I assumed that I would get the full capture
> > as well as the plaintext log of the HTTP traffic.
> >
> > Thanks,
> > /.d
>
> You should take a look at Moloch.
>
> http://molo.ch
> http://github.com/aol/moloch
>
> -- Eoin
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130918/14bfb9fd/attachment-0002.html>
More information about the Oisf-users
mailing list