[Oisf-users] Correlating http transactions and alert logs

Cooper F. Nelson cnelson at ucsd.edu
Fri Jul 11 19:14:05 UTC 2014

Hash: SHA1

I did something like this in the past with moloch:

> https://github.com/aol/moloch

You can search by src IP/port and dst IP/port in order to extract the
packet capture for that IP conversation.

If you want to do something like this with suricata, just use custom
http logging and enable the src/dst ports:

> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging

It's possible you would get a collision, but unlikely if you the data
searched is recent.

- -Coop

On 7/11/2014 2:09 AM, Darren Spruell wrote:
> Greetings,
> Request in same vein as
> https://lists.openinfosecfoundation.org/pipermail/oisf-users/2014-January/003281.html
> I'm embarking on a task with Suricata where I'd need to specifically
> correlate alerts to HTTP requests - namely to associate the set of
> alerts that fire in connection with the HTTP transaction under
> inspection. Currently Suricata logging is the only data source
> available to do this for the environment, and I'd prefer to use EVE
> logging.
> If I understand correctly Suricata can generate debug alerting with
> knowledge of the transaction being handled at the moment of alert.
> I've peeked at the debug log output and it is not appropriate for our
> use case. Is it possible to have Suricata generate http logs (maybe
> other service logs too?) that include data about any alerts that were
> generated inspecting that transaction? I want to make sure we have a
> strong correlator on these events, so attempting to match logs up by
> timestamp or similar is potentially impractical or at the least
> awkward and potentially fraught with #fail.
> Alternatively, is it possible to tag the transaction ID at logging
> time into both the alert log and the http log that would allow
> correlation on the two in a datastore?
> Or is there another way of accomplishing this?
> By the way, absolutely gleeful about this performance:
> 9/7/2014 -- 19:17:33 - <Notice> - Stats for 'bond1':  pkts:
> 18668355600, drop: 50066 (0.00%), invalid chksum: 13028
> 11/7/2014 -- 00:52:46 - <Notice> - Stats for 'bond1':  pkts:
> 11102827636, drop: 41230 (0.00%), invalid chksum: 10322

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list