[Oisf-users] http.log + rules meta information
Leonard Jacobs
ljacobs at netsecuris.com
Sun Jan 12 09:43:21 EST 2014
We are experimenting with correlation between the fast.log and http.log with some success. We are storing the information from those two logs into database tables and have written queries that attempt to find relationship between the two logs. The difficult part is fine tuning the query to find exactly that moment in time where the data from fast.log and http.log intersect. It is not an impossible task but just takes some work fine-tuning.
-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Peter Manev
Sent: Sunday, January 12, 2014 4:25 AM
To: Nikita Kislitsin
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] http.log + rules meta information
On Sat, Jan 11, 2014 at 10:17 PM, Nikita Kislitsin <kislitsin at group-ib.ru> wrote:
>
> Thanks!
>
> I need to search in http requests and write a log that includes all the details about matching sessions - src/dst ip:port, matched rule msg, domain, URI and method of HTTP-request.
>
> Looks like Suricata can't do that from the box, right?
>
>
Not right of the box.
It still looks to me that you need to correlate data - but you would like all the information about that specific session to be written in one specific log, correct?
Just to point out entries in the http.log are not directly related to those in the fast.log(alert). In other words - http.log logs all the http requests Suriacta sees, regardless of the fact if alerts are triggered or not.
Suricata also can log DNS,TLS,Files detailed logs (besides alert and
http) - fyi.
thanks
--
Regards,
Peter Manev
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
More information about the Oisf-users
mailing list