[Oisf-users] Correlating http transactions and alert logs

Darren Spruell phatbuckett at gmail.com
Fri Jul 11 09:09:42 UTC 2014


Request in same vein as

I'm embarking on a task with Suricata where I'd need to specifically
correlate alerts to HTTP requests - namely to associate the set of
alerts that fire in connection with the HTTP transaction under
inspection. Currently Suricata logging is the only data source
available to do this for the environment, and I'd prefer to use EVE

If I understand correctly Suricata can generate debug alerting with
knowledge of the transaction being handled at the moment of alert.
I've peeked at the debug log output and it is not appropriate for our
use case. Is it possible to have Suricata generate http logs (maybe
other service logs too?) that include data about any alerts that were
generated inspecting that transaction? I want to make sure we have a
strong correlator on these events, so attempting to match logs up by
timestamp or similar is potentially impractical or at the least
awkward and potentially fraught with #fail.

Alternatively, is it possible to tag the transaction ID at logging
time into both the alert log and the http log that would allow
correlation on the two in a datastore?

Or is there another way of accomplishing this?

By the way, absolutely gleeful about this performance:

9/7/2014 -- 19:17:33 - <Notice> - Stats for 'bond1':  pkts:
18668355600, drop: 50066 (0.00%), invalid chksum: 13028
11/7/2014 -- 00:52:46 - <Notice> - Stats for 'bond1':  pkts:
11102827636, drop: 41230 (0.00%), invalid chksum: 10322

Darren Spruell
phatbuckett at gmail.com

More information about the Oisf-users mailing list