[Oisf-users] Logging full sessions and HTTP logs concurrently

Thu Sep 19 07:07:59 UTC 2013

https://redmine.openinfosecfoundation.org/issues/120

Snort would be able to do this like:

*alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet Evil-IP
85.19.221.54 (gamelinux.org)”; flags:S;
tag:session,1000,bytes,100,seconds,0,packets; classtype:trojan-activity;
sid:201102011; rev:1;)*

Its an OK feature... but if it sucks performance, I would leave it out :)
if not - I would love it!

On Wed, Sep 18, 2013 at 9:41 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You can, it just won't log every packet for that flow.
>
> Suricata does have a pcap logging function, but it simply logs
> everything (which probably isn't what you want).
>
> Try using tcpdump.  It has almost zero overhead on a modern kernel.
>
> - -Coop
>
> On 9/18/2013 12:26 PM, Duane Howard wrote:
> > Downside is "yet another service" on my many sensors, which I was hoping
> to
> > avoid. I'm assuming there's no flag to tell Suricata to log to http.log
> and
> > a u2 file?
> >
> >
> > On Wed, Sep 18, 2013 at 11:13 AM, Eoin Miller <
> > eoin.miller at trojanedbinaries.com> wrote:
> >
> >> On 9/18/2013 17:19, Duane Howard wrote:
> >>> Hey folks, another strange behavior I'm seeing that I'm wondering
> about.
> >>>
> >>> I have a rule like this, which I believe should basically record all
> >>> sessions to IP_I_CARE_ABOUT:
> >>> alert ip $HOME_NET any -> $IP_I_CARE_ABOUT any (msg:"log all traffic";
> >>> tag:session,300,seconds; reference:url,foo.example.com
> >>> <http://foo.example.com>; classtype:misc-activity; priority:2;
> >>> sid:9000001; rev:1;)
> >>>
> >>> I also have http logging enabled.
> >>> It seems like when this rule fires I get the SYN/SYN-ACK/ACK, but do
> not
> >>> get any further traffic when the traffic is HTTP, I do however get
> >>> corresponding HTTP text logs written to my http.log file.
> >>>
> >>> Is this working as intended? I assumed that I would get the full
> capture
> >>> as well as the plaintext log of the HTTP traffic.
> >>>
> >>> Thanks,
> >>> /.d
> >>
> >> You should take a look at Moloch.
> >>
> >> http://molo.ch
> >> http://github.com/aol/moloch
> >>
> >> -- Eoin
> >>
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> OISF: http://www.openinfosecfoundation.org/
> >>
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJSOgHMAAoJEKIFRYQsa8FWDwMH/R3lKUazuze8i92LvDW28dR3
> IZMJD/2C046IneUu+0/jUpTcGfCyn7M1gFRjf3+vBwp8igHMXySV346ie2Dh/tNd
> BDNs8XyB5eSFk0M1EQLlh9I5qXPbmKre8sXZSp/0qbNMdO7K/mozicl0iCwWiWLP
> VdOIh9kapgLl2mxwo+gL062YnTunYYnxlxc2gBr4VCPekRNOnnyx49QNeNjvO2fB
> nC6dX4s01HFjWjc/ms8XtIvwZuhTdj6gyhS1nJgfwo1oPrdYv3DJGjNwTCxypRNc
> d1BYkhdLag24RqEIXRiFJJELBVdPYHByUb4I9VO3GavESu3GwQzR5N7tbSoVR+I=
> =ehOY
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>

-- 
Edward Bjarte Fjellskål
Senior Security Analyst
http://www.gamelinux.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130919/233b8031/attachment-0002.html>