[Oisf-users] http.log + rules meta information

Nikita Kislitsin kislitsin at group-ib.ru
Mon Jan 13 13:34:32 EST 2014


Also noteworthy that I use pf_ring for faster capturing


2014/1/13 Nikita Kislitsin <kislitsin at group-ib.ru>

> The corellation between fast.log and http.log looks poor in my case so
> far. I got some records in fast.log caused by botnets activity. I wanted to
> find details on http-requests that were sent to C2-servers. And there's no
> such records in http.log! Looks like many http-requests are missing in
> http.log.
>
> Probably I misconfigured Suricata. It shows such messages:
> 13/1/2014 -- 22:04:26 - <Info> - Flow emergency mode over, back to
> normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1389636266,
> ts.tv_usec:8746) flow_spare_q status(): 36% flows at the queue
>
> And in stats.log I see that:
>
> capture.kernel_packets    | RxPFRp6p11                | 326355778
> capture.kernel_drops      | RxPFRp6p11                | 16148543
>
> Looks like Suricata is misconfigured and it misses packets? I got plenty
> of memory, two good CPU's. The link is 10G, and actual load is 2-3G. I use
> only botcc.rules now.
>
> Some perfomance-related details from my suricata.yaml:
>
> max-pending-packets: 65000
>
> detect-engine:
>   - profile: medium
>   - custom-values:
>       toclient-src-groups: 200
>       toclient-dst-groups: 200
>       toclient-sp-groups: 200
>       toclient-dp-groups: 300
>       toserver-src-groups: 200
>       toserver-dst-groups: 400
>       toserver-sp-groups: 200
>       toserver-dp-groups: 200
>   - sgh-mpm-context: auto
>   - inspection-recursion-limit: 3000
>
> What should I change so Suricata would work properly?
>
> Thanks!
>
>
> 2014/1/12 Peter Manev <petermanev at gmail.com>
>
>> On Sat, Jan 11, 2014 at 10:17 PM, Nikita Kislitsin
>> <kislitsin at group-ib.ru> wrote:
>> >
>> > Thanks!
>> >
>> > I need to search in http requests and write a log that includes all the
>> details about matching sessions - src/dst ip:port, matched rule msg,
>> domain, URI and method of HTTP-request.
>> >
>> > Looks like Suricata can't do that from the box, right?
>> >
>> >
>>
>>
>> Not right of the box.
>> It still looks to me that you need to correlate data - but you would
>> like all the information about that specific session to be written in
>> one specific log, correct?
>>
>> Just to point out entries in the http.log are not directly related to
>> those in the fast.log(alert). In other words - http.log logs all the
>> http requests Suriacta sees, regardless of the fact if alerts are
>> triggered or not.
>>
>> Suricata also can log DNS,TLS,Files detailed logs (besides alert and
>> http) - fyi.
>>
>>
>>
>> thanks
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>>
>
>
>
> --
> [image: Group-IB]
> Global Cyber Security Company
>  <http://www.facebook.com/GroupIB>  <http://twitter.com/groupib> <http://www.linkedin.com/groups/GroupIB-Cybercrime-Cyberterrorism-4390171>
>   <http://www.youtube.com/user/GroupIB> Nikita Kislitsin
> Head of Botnet Monitoring Project
> Group-IB
> +7 (495) 984-33-64 ext. 137
> +7 (903) 791-65-28
> kislitsin at group-ib.com
> www.group-ib.com
>
>


-- 
[image: Group-IB]
Global Cyber Security Company
<http://www.facebook.com/GroupIB>  <http://twitter.com/groupib>
<http://www.linkedin.com/groups/GroupIB-Cybercrime-Cyberterrorism-4390171>
  <http://www.youtube.com/user/GroupIB>Nikita Kislitsin
Head of Botnet Monitoring Project
Group-IB
+7 (495) 984-33-64 ext. 137
+7 (903) 791-65-28
kislitsin at group-ib.com
www.group-ib.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140113/7b678c67/attachment-0001.html>


More information about the Oisf-users mailing list