[Oisf-users] Correlating http transactions and alert logs

[Darren Spruell]

Greetings,

Request in same vein as
https://lists.openinfosecfoundation.org/pipermail/oisf-users/2014-January/003281.html

I'm embarking on a task with Suricata where I'd need to specifically
correlate alerts to HTTP requests - namely to associate the set of
alerts that fire in connection with the HTTP transaction under
inspection. Currently Suricata logging is the only data source
available to do this for the environment, and I'd prefer to use EVE
logging.

If I understand correctly Suricata can generate debug alerting with
knowledge of the transaction being handled at the moment of alert.
I've peeked at the debug log output and it is not appropriate for our
use case. Is it possible to have Suricata generate http logs (maybe
other service logs too?) that include data about any alerts that were
generated inspecting that transaction? I want to make sure we have a
strong correlator on these events, so attempting to match logs up by
timestamp or similar is potentially impractical or at the least
awkward and potentially fraught with #fail.

Alternatively, is it possible to tag the transaction ID at logging
time into both the alert log and the http log that would allow
correlation on the two in a datastore?

Or is there another way of accomplishing this?


By the way, absolutely gleeful about this performance:

9/7/2014 -- 19:17:33 - <Notice> - Stats for 'bond1':  pkts:
18668355600, drop: 50066 (0.00%), invalid chksum: 13028
11/7/2014 -- 00:52:46 - <Notice> - Stats for 'bond1':  pkts:
11102827636, drop: 41230 (0.00%), invalid chksum: 10322

-- 
Darren Spruell
phatbuckett at gmail.com