[Oisf-users] http.log + rules meta information

Nikita Kislitsin kislitsin at group-ib.ru
Mon Jan 13 12:10:03 EST 2014


Anoop and everybody, thanks! Looks helpful!





2014/1/13 Anoop Saldanha <anoopsaldanha at gmail.com>

> Nikita,
>
> To add to what others have said,  have a look at debuglog as well,
> which logs other details such as the transaction id that triggered the
> rule alert.  The tx_id should help you single out the http transaction
> from http.log that caused the alert.
>
> On Sun, Jan 12, 2014 at 8:13 PM, Leonard Jacobs <ljacobs at netsecuris.com>
> wrote:
> > We are experimenting with correlation between the fast.log and http.log
> with some success.  We are storing the information from those two logs into
> database tables and have written queries that attempt to find relationship
> between the two logs. The difficult part is fine tuning the query to find
> exactly that moment in time where the data from fast.log and http.log
> intersect. It is not an impossible task but just takes some work
> fine-tuning.
> >
> > -----Original Message-----
> > From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:
> oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Peter
> Manev
> > Sent: Sunday, January 12, 2014 4:25 AM
> > To: Nikita Kislitsin
> > Cc: oisf-users at lists.openinfosecfoundation.org
> > Subject: Re: [Oisf-users] http.log + rules meta information
> >
> > On Sat, Jan 11, 2014 at 10:17 PM, Nikita Kislitsin <
> kislitsin at group-ib.ru> wrote:
> >>
> >> Thanks!
> >>
> >> I need to search in http requests and write a log that includes all the
> details about matching sessions - src/dst ip:port, matched rule msg,
> domain, URI and method of HTTP-request.
> >>
> >> Looks like Suricata can't do that from the box, right?
> >>
> >>
> >
> >
> > Not right of the box.
> > It still looks to me that you need to correlate data - but you would
> like all the information about that specific session to be written in one
> specific log, correct?
> >
> > Just to point out entries in the http.log are not directly related to
> those in the fast.log(alert). In other words - http.log logs all the http
> requests Suriacta sees, regardless of the fact if alerts are triggered or
> not.
> >
> > Suricata also can log DNS,TLS,Files detailed logs (besides alert and
> > http) - fyi.
> >
> >
> >
> > thanks
> >
> >
> >
> > --
> > Regards,
> > Peter Manev
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
>
>
>
> --
> -------------------------------
> Anoop Saldanha
> http://www.poona.me
> -------------------------------
>



-- 
[image: Group-IB]
Global Cyber Security Company
<http://www.facebook.com/GroupIB>  <http://twitter.com/groupib>
<http://www.linkedin.com/groups/GroupIB-Cybercrime-Cyberterrorism-4390171>
  <http://www.youtube.com/user/GroupIB>Nikita Kislitsin
Head of Botnet Monitoring Project
Group-IB
+7 (495) 984-33-64 ext. 137
+7 (903) 791-65-28
kislitsin at group-ib.com
www.group-ib.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140113/0cae1043/attachment.html>


More information about the Oisf-users mailing list