[Oisf-users] http.log + rules meta information
Nikita Kislitsin
kislitsin at group-ib.ru
Sat Jan 11 21:17:19 UTC 2014
Thanks!
I need to search in http requests and write a log that includes all the
details about matching sessions - src/dst ip:port, matched rule msg,
domain, URI and method of HTTP-request.
Looks like Suricata can't do that from the box, right?
2014/1/11 Chris Edwards <Chris.Edwards at glasgow.ac.uk>
> On Sat, 11 Jan 2014, Nikita Kislitsin wrote:
>
> Is there any way to include rules meta-information (*msg *field) to
>>
>> http.log records? I need not only have details about http
>> request/responce,
>> but also include a reference to the specific rule based on which this
>> event
>> was recored.
>>
>
> http.log is somewhat different in that it contains entries for *all* http
> transactions on the network, irrespective of whether they triggered an rule
> hit.
>
> Of course, some http.log entries do relate to rule hits, so it might be
> nice to have some sort of reference as you suggest. But what if multiple
> rules were triggered by a single request ? Perhaps it would be better to
> record the URL info as part of fast.log. Either way, I don't think this is
> possible at present. That said, where packet data is captured with rule
> hits, if you view the packet in wireshark etc, then the URL is there for
> you.
>
> Chris
>
> --
> Chris Edwards, Information Security, IT Services
> University of Glasgow, charity number SC004401
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
--
[image: Group-IB]
Global Cyber Security Company
<http://www.facebook.com/GroupIB> <http://twitter.com/groupib>
<http://www.linkedin.com/groups/GroupIB-Cybercrime-Cyberterrorism-4390171>
<http://www.youtube.com/user/GroupIB>Nikita Kislitsin
Head of Botnet Monitoring Project
Group-IB
+7 (495) 984-33-64 ext. 137
+7 (903) 791-65-28
kislitsin at group-ib.com
www.group-ib.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140112/df049ade/attachment-0002.html>
More information about the Oisf-users
mailing list