[Oisf-users] Logging full sessions and HTTP logs concurrently
Duane Howard
duane.security at gmail.com
Thu Sep 19 14:31:08 UTC 2013
Victor, am I correct in my interpretation of these responses that because I
do have "tag:session,300,seconds;" in my rule, this should be working, but
Suricata has a bug (tracking at
https://redmine.openinfosecfoundation.org/issues/969) that is relevant to
this, and that my lack of packets is *not* due to the HTTP logging module
being enabled?
./d
On Thu, Sep 19, 2013 at 2:31 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:
> On Thu, Sep 19, 2013 at 2:58 PM, Victor Julien <lists at inliniac.net> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 09/19/2013 11:24 AM, Edward Fjellskål wrote:
> >> I googled, but did not find any docs about it.... saw some hits on
> >> the sourcecode, but did not dig into them.
> >>
> >> This is a great feature to have though, and I guess one can use
> >> this for a fairly good packet capture and might satisfy the initial
> >> request?
> >
> > When fixed, this works by pushing the tags into the unified2 records,
> > so barnyard2 would have to make pcap files out of that. Not sure how
> > to configure by2 for that though.
> >
>
> When tagged packets are logged, what will lwe og as the alert sid in
> barnyard hdr, for packets that didn't trigger any alerts?
>
> >> On Thu, Sep 19, 2013 at 9:33 AM, Victor Julien <lists at inliniac.net
> >> <mailto:lists at inliniac.net>> wrote:
> >>
> >> On 09/19/2013 09:07 AM, Edward Fjellskål wrote:
> >>> https://redmine.openinfosecfoundation.org/issues/120
> >>
> >>> Snort would be able to do this like:
> >>
> >>> *alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet
> >>> Evil-IP 85.19.221.54 (gamelinux.org <http://gamelinux.org>
> >> <http://gamelinux.org>)”;
> >>> flags:S; tag:session,1000,bytes,100,seconds,0,packets;
> >>> classtype:trojan-activity; sid:201102011; rev:1;)*
> >>
> >> We support this tagging as well, never really benched it.
> >>
>
>
> --
> -------------------------------
> Anoop Saldanha
> http://www.poona.me
> -------------------------------
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130919/0c68a79e/attachment-0002.html>
More information about the Oisf-users
mailing list