[Oisf-users] HTTP Logging Update
Duarte Silva
duarte.silva at serializing.me
Wed Jul 23 17:27:03 UTC 2014
Hi,
today I had a problem with one of our sensors, it stopped logging HTTP and DNS
(no matter what logger was enabled).
I tried all the tricks int the book, restart, change the BPF filter,
disable/enable VLAN tracking, ... nothing worked.
I could see the packets arriving with tcpdump, Suricata was receiving the
packets and there were no problems (drops, gaps, ...).
Without any other option on the Suricata side, I decided to re-create the SPAN
configuration. It "magically" started to work again. I wrote "magically"
because I still don't know why it stopped working since the switch wasn't
messed with and Suricata is still running with the same configuration it had
before.
Anyway, a good thing to try if you a have a mirror port configuration :)
Hope it helps,
Duarte Silva
On Thursday 05 June 2014 17:42:50 Adnan Baykal wrote:
> Yes I did. It did not make a difference.
>
> On June 5, 2014 4:56:25 PM EDT, Victor Julien <lists at inliniac.net> wrote:
> >On 06/05/2014 10:22 PM, Adnan Baykal wrote:
> >> when I turn on midstream, it starts logging some http traffic. So, 1
> >> million $ question is " WHY". What is wrong with this network/config
> >> that is causing this?
> >
> >Did you try:
> >
> >vlan:
> > use-for-tracking: false
More information about the Oisf-users
mailing list