[Oisf-users] Logging full sessions and HTTP logs concurrently

Victor Julien lists at inliniac.net
Thu Sep 19 14:37:55 UTC 2013 

On 09/19/2013 04:31 PM, Duane Howard wrote:
> Victor, am I correct in my interpretation of these responses that because I
> do have "tag:session,300,seconds;" in my rule, this should be working, but
> Suricata has a bug (tracking at
> https://redmine.openinfosecfoundation.org/issues/969) that is relevant to
> this, and that my lack of packets is *not* due to the HTTP logging module
> being enabled?

Yes. The HTTP logging module is not related to this in any way.

If you want to test the fix, please try:

https://github.com/inliniac/suricata/pull/557 (if you're willing to test
the master branch)
or:
https://github.com/inliniac/suricata/tree/dev-fix-tag-14 (if you're on
1.4.x)

Cheers,
Victor

> 
> ./d
> 
> 
> On Thu, Sep 19, 2013 at 2:31 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:
> 
>> On Thu, Sep 19, 2013 at 2:58 PM, Victor Julien <lists at inliniac.net> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 09/19/2013 11:24 AM, Edward Fjellskål wrote:
>>>> I googled, but did not find any docs about it.... saw some hits on
>>>> the sourcecode, but did not dig into them.
>>>>
>>>> This is a great feature to have though, and I guess one can use
>>>> this for a fairly good packet capture and might satisfy the initial
>>>> request?
>>>
>>> When fixed, this works by pushing the tags into the unified2 records,
>>> so barnyard2 would have to make pcap files out of that. Not sure how
>>> to configure by2 for that though.
>>>
>>
>> When tagged packets are logged, what will lwe og as the alert sid in
>> barnyard hdr, for packets that didn't trigger any alerts?
>>
>>>> On Thu, Sep 19, 2013 at 9:33 AM, Victor Julien <lists at inliniac.net
>>>> <mailto:lists at inliniac.net>> wrote:
>>>>
>>>> On 09/19/2013 09:07 AM, Edward Fjellskål wrote:
>>>>> https://redmine.openinfosecfoundation.org/issues/120
>>>>
>>>>> Snort would be able to do this like:
>>>>
>>>>> *alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet
>>>>> Evil-IP 85.19.221.54 (gamelinux.org <http://gamelinux.org>
>>>> <http://gamelinux.org>)”;
>>>>> flags:S; tag:session,1000,bytes,100,seconds,0,packets;
>>>>> classtype:trojan-activity; sid:201102011; rev:1;)*
>>>>
>>>> We support this tagging as well, never really benched it.
>>>>
>>
>>
>> --
>> -------------------------------
>> Anoop Saldanha
>> http://www.poona.me
>> -------------------------------
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list