[Oisf-users] Logging full sessions and HTTP logs concurrently
Cooper F. Nelson
cnelson at ucsd.edu
Wed Sep 18 19:41:00 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You can, it just won't log every packet for that flow.
Suricata does have a pcap logging function, but it simply logs
everything (which probably isn't what you want).
Try using tcpdump. It has almost zero overhead on a modern kernel.
- -Coop
On 9/18/2013 12:26 PM, Duane Howard wrote:
> Downside is "yet another service" on my many sensors, which I was hoping to
> avoid. I'm assuming there's no flag to tell Suricata to log to http.log and
> a u2 file?
>
>
> On Wed, Sep 18, 2013 at 11:13 AM, Eoin Miller <
> eoin.miller at trojanedbinaries.com> wrote:
>
>> On 9/18/2013 17:19, Duane Howard wrote:
>>> Hey folks, another strange behavior I'm seeing that I'm wondering about.
>>>
>>> I have a rule like this, which I believe should basically record all
>>> sessions to IP_I_CARE_ABOUT:
>>> alert ip $HOME_NET any -> $IP_I_CARE_ABOUT any (msg:"log all traffic";
>>> tag:session,300,seconds; reference:url,foo.example.com
>>> <http://foo.example.com>; classtype:misc-activity; priority:2;
>>> sid:9000001; rev:1;)
>>>
>>> I also have http logging enabled.
>>> It seems like when this rule fires I get the SYN/SYN-ACK/ACK, but do not
>>> get any further traffic when the traffic is HTTP, I do however get
>>> corresponding HTTP text logs written to my http.log file.
>>>
>>> Is this working as intended? I assumed that I would get the full capture
>>> as well as the plaintext log of the HTTP traffic.
>>>
>>> Thanks,
>>> /.d
>>
>> You should take a look at Moloch.
>>
>> http://molo.ch
>> http://github.com/aol/moloch
>>
>> -- Eoin
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSOgHMAAoJEKIFRYQsa8FWDwMH/R3lKUazuze8i92LvDW28dR3
IZMJD/2C046IneUu+0/jUpTcGfCyn7M1gFRjf3+vBwp8igHMXySV346ie2Dh/tNd
BDNs8XyB5eSFk0M1EQLlh9I5qXPbmKre8sXZSp/0qbNMdO7K/mozicl0iCwWiWLP
VdOIh9kapgLl2mxwo+gL062YnTunYYnxlxc2gBr4VCPekRNOnnyx49QNeNjvO2fB
nC6dX4s01HFjWjc/ms8XtIvwZuhTdj6gyhS1nJgfwo1oPrdYv3DJGjNwTCxypRNc
d1BYkhdLag24RqEIXRiFJJELBVdPYHByUb4I9VO3GavESu3GwQzR5N7tbSoVR+I=
=ehOY
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list