[Oisf-users] http.log + rules meta information

Nikita Kislitsin kislitsin at group-ib.ru
Mon Jan 13 18:32:39 UTC 2014


The corellation between fast.log and http.log looks poor in my case so far.
I got some records in fast.log caused by botnets activity. I wanted to find
details on http-requests that were sent to C2-servers. And there's no such
records in http.log! Looks like many http-requests are missing in http.log.

Probably I misconfigured Suricata. It shows such messages:
13/1/2014 -- 22:04:26 - <Info> - Flow emergency mode over, back to
normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1389636266,
ts.tv_usec:8746) flow_spare_q status(): 36% flows at the queue

And in stats.log I see that:

capture.kernel_packets    | RxPFRp6p11                | 326355778
capture.kernel_drops      | RxPFRp6p11                | 16148543

Looks like Suricata is misconfigured and it misses packets? I got plenty of
memory, two good CPU's. The link is 10G, and actual load is 2-3G. I use
only botcc.rules now.

Some perfomance-related details from my suricata.yaml:

max-pending-packets: 65000

detect-engine:
  - profile: medium
  - custom-values:
      toclient-src-groups: 200
      toclient-dst-groups: 200
      toclient-sp-groups: 200
      toclient-dp-groups: 300
      toserver-src-groups: 200
      toserver-dst-groups: 400
      toserver-sp-groups: 200
      toserver-dp-groups: 200
  - sgh-mpm-context: auto
  - inspection-recursion-limit: 3000

What should I change so Suricata would work properly?

Thanks!


2014/1/12 Peter Manev <petermanev at gmail.com>

> On Sat, Jan 11, 2014 at 10:17 PM, Nikita Kislitsin
> <kislitsin at group-ib.ru> wrote:
> >
> > Thanks!
> >
> > I need to search in http requests and write a log that includes all the
> details about matching sessions - src/dst ip:port, matched rule msg,
> domain, URI and method of HTTP-request.
> >
> > Looks like Suricata can't do that from the box, right?
> >
> >
>
>
> Not right of the box.
> It still looks to me that you need to correlate data - but you would
> like all the information about that specific session to be written in
> one specific log, correct?
>
> Just to point out entries in the http.log are not directly related to
> those in the fast.log(alert). In other words - http.log logs all the
> http requests Suriacta sees, regardless of the fact if alerts are
> triggered or not.
>
> Suricata also can log DNS,TLS,Files detailed logs (besides alert and
> http) - fyi.
>
>
>
> thanks
>
>
>
> --
> Regards,
> Peter Manev
>



-- 
[image: Group-IB]
Global Cyber Security Company
<http://www.facebook.com/GroupIB>  <http://twitter.com/groupib>
<http://www.linkedin.com/groups/GroupIB-Cybercrime-Cyberterrorism-4390171>
  <http://www.youtube.com/user/GroupIB>Nikita Kislitsin
Head of Botnet Monitoring Project
Group-IB
+7 (495) 984-33-64 ext. 137
+7 (903) 791-65-28
kislitsin at group-ib.com
www.group-ib.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140113/bae3eada/attachment-0002.html>


More information about the Oisf-users mailing list