[Oisf-users] Logging full sessions and HTTP logs concurrently
Victor Julien
lists at inliniac.net
Thu Sep 19 15:24:06 UTC 2013
On 09/19/2013 04:37 PM, Victor Julien wrote:
> On 09/19/2013 04:31 PM, Duane Howard wrote:
>> Victor, am I correct in my interpretation of these responses that because I
>> do have "tag:session,300,seconds;" in my rule, this should be working, but
>> Suricata has a bug (tracking at
>> https://redmine.openinfosecfoundation.org/issues/969) that is relevant to
>> this, and that my lack of packets is *not* due to the HTTP logging module
>> being enabled?
>
> Yes. The HTTP logging module is not related to this in any way.
>
> If you want to test the fix, please try:
>
> https://github.com/inliniac/suricata/pull/557 (if you're willing to test
> the master branch)
> or:
> https://github.com/inliniac/suricata/tree/dev-fix-tag-14 (if you're on
> 1.4.x)
>
I've pushed both fixes out, so both "master" and "master-1.4.x" have it now.
Will be in 1.4.6. Should be out next week.
Cheers,
Victor
> Cheers,
> Victor
>
>>
>> ./d
>>
>>
>> On Thu, Sep 19, 2013 at 2:31 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:
>>
>>> On Thu, Sep 19, 2013 at 2:58 PM, Victor Julien <lists at inliniac.net> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 09/19/2013 11:24 AM, Edward Fjellskål wrote:
>>>>> I googled, but did not find any docs about it.... saw some hits on
>>>>> the sourcecode, but did not dig into them.
>>>>>
>>>>> This is a great feature to have though, and I guess one can use
>>>>> this for a fairly good packet capture and might satisfy the initial
>>>>> request?
>>>>
>>>> When fixed, this works by pushing the tags into the unified2 records,
>>>> so barnyard2 would have to make pcap files out of that. Not sure how
>>>> to configure by2 for that though.
>>>>
>>>
>>> When tagged packets are logged, what will lwe og as the alert sid in
>>> barnyard hdr, for packets that didn't trigger any alerts?
>>>
>>>>> On Thu, Sep 19, 2013 at 9:33 AM, Victor Julien <lists at inliniac.net
>>>>> <mailto:lists at inliniac.net>> wrote:
>>>>>
>>>>> On 09/19/2013 09:07 AM, Edward Fjellskål wrote:
>>>>>> https://redmine.openinfosecfoundation.org/issues/120
>>>>>
>>>>>> Snort would be able to do this like:
>>>>>
>>>>>> *alert tcp 85.19.221.54 any <> $HOME_NET any (msg:”GL Log Packet
>>>>>> Evil-IP 85.19.221.54 (gamelinux.org <http://gamelinux.org>
>>>>> <http://gamelinux.org>)”;
>>>>>> flags:S; tag:session,1000,bytes,100,seconds,0,packets;
>>>>>> classtype:trojan-activity; sid:201102011; rev:1;)*
>>>>>
>>>>> We support this tagging as well, never really benched it.
>>>>>
>>>
>>>
>>> --
>>> -------------------------------
>>> Anoop Saldanha
>>> http://www.poona.me
>>> -------------------------------
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> OISF: http://www.openinfosecfoundation.org/
>>>
>>
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list