[Oisf-users] http.log + rules meta information
Anoop Saldanha
anoopsaldanha at gmail.com
Mon Jan 13 16:42:46 UTC 2014
Nikita,
To add to what others have said, have a look at debuglog as well,
which logs other details such as the transaction id that triggered the
rule alert. The tx_id should help you single out the http transaction
from http.log that caused the alert.
On Sun, Jan 12, 2014 at 8:13 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
> We are experimenting with correlation between the fast.log and http.log with some success. We are storing the information from those two logs into database tables and have written queries that attempt to find relationship between the two logs. The difficult part is fine tuning the query to find exactly that moment in time where the data from fast.log and http.log intersect. It is not an impossible task but just takes some work fine-tuning.
>
> -----Original Message-----
> From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Peter Manev
> Sent: Sunday, January 12, 2014 4:25 AM
> To: Nikita Kislitsin
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] http.log + rules meta information
>
> On Sat, Jan 11, 2014 at 10:17 PM, Nikita Kislitsin <kislitsin at group-ib.ru> wrote:
>>
>> Thanks!
>>
>> I need to search in http requests and write a log that includes all the details about matching sessions - src/dst ip:port, matched rule msg, domain, URI and method of HTTP-request.
>>
>> Looks like Suricata can't do that from the box, right?
>>
>>
>
>
> Not right of the box.
> It still looks to me that you need to correlate data - but you would like all the information about that specific session to be written in one specific log, correct?
>
> Just to point out entries in the http.log are not directly related to those in the fast.log(alert). In other words - http.log logs all the http requests Suriacta sees, regardless of the fact if alerts are triggered or not.
>
> Suricata also can log DNS,TLS,Files detailed logs (besides alert and
> http) - fyi.
>
>
>
> thanks
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-users
mailing list