[Oisf-users] http.log + rules meta information

Nikita Kislitsin kislitsin at group-ib.ru
Sat Jan 11 21:17:19 UTC 2014


I need to search in http requests and write a log that includes all the
details about matching sessions - src/dst ip:port, matched rule msg,
domain, URI and method of HTTP-request.

Looks like Suricata can't do that from the box, right?

2014/1/11 Chris Edwards <Chris.Edwards at glasgow.ac.uk>

> On Sat, 11 Jan 2014, Nikita Kislitsin wrote:
>  Is there any way to include rules meta-information (*msg *field) to
>> http.log records? I need not only have details about http
>> request/responce,
>> but also include a reference to the specific rule based on which this
>> event
>> was recored.
> http.log is somewhat different in that it contains entries for *all* http
> transactions on the network, irrespective of whether they triggered an rule
> hit.
> Of course, some http.log entries do relate to rule hits, so it might be
> nice to have some sort of reference as you suggest.  But what if multiple
> rules were triggered by a single request ?  Perhaps it would be better to
> record the URL info as part of fast.log.  Either way, I don't think this is
> possible at present.  That said, where packet data is captured with rule
> hits, if you view the packet in wireshark etc, then the URL is there for
> you.
> Chris
> --
> Chris Edwards, Information Security, IT Services
> University of Glasgow, charity number SC004401
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

[image: Group-IB]
Global Cyber Security Company
<http://www.facebook.com/GroupIB>  <http://twitter.com/groupib>
  <http://www.youtube.com/user/GroupIB>Nikita Kislitsin
Head of Botnet Monitoring Project
+7 (495) 984-33-64 ext. 137
+7 (903) 791-65-28
kislitsin at group-ib.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140112/df049ade/attachment-0002.html>

More information about the Oisf-users mailing list