[Oisf-users] Correlating http transactions and alert logs

Fri Jul 11 19:14:05 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did something like this in the past with moloch:

> https://github.com/aol/moloch

You can search by src IP/port and dst IP/port in order to extract the
packet capture for that IP conversation.

If you want to do something like this with suricata, just use custom
http logging and enable the src/dst ports:

> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging

It's possible you would get a collision, but unlikely if you the data
searched is recent.

- -Coop

On 7/11/2014 2:09 AM, Darren Spruell wrote:
> Greetings,
> 
> Request in same vein as
> https://lists.openinfosecfoundation.org/pipermail/oisf-users/2014-January/003281.html
> 
> I'm embarking on a task with Suricata where I'd need to specifically
> correlate alerts to HTTP requests - namely to associate the set of
> alerts that fire in connection with the HTTP transaction under
> inspection. Currently Suricata logging is the only data source
> available to do this for the environment, and I'd prefer to use EVE
> logging.
> 
> If I understand correctly Suricata can generate debug alerting with
> knowledge of the transaction being handled at the moment of alert.
> I've peeked at the debug log output and it is not appropriate for our
> use case. Is it possible to have Suricata generate http logs (maybe
> other service logs too?) that include data about any alerts that were
> generated inspecting that transaction? I want to make sure we have a
> strong correlator on these events, so attempting to match logs up by
> timestamp or similar is potentially impractical or at the least
> awkward and potentially fraught with #fail.
> 
> Alternatively, is it possible to tag the transaction ID at logging
> time into both the alert log and the http log that would allow
> correlation on the two in a datastore?
> 
> Or is there another way of accomplishing this?
> 
> 
> By the way, absolutely gleeful about this performance:
> 
> 9/7/2014 -- 19:17:33 - <Notice> - Stats for 'bond1':  pkts:
> 18668355600, drop: 50066 (0.00%), invalid chksum: 13028
> 11/7/2014 -- 00:52:46 - <Notice> - Stats for 'bond1':  pkts:
> 11102827636, drop: 41230 (0.00%), invalid chksum: 10322
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTwDd9AAoJEKIFRYQsa8FWX2kH/3SgT7xyauHeCHdItftBZh2b
36HGD/5apTItyop3s+wKZX/kPpJh7eE6+P485cDxjNusjLfAo649eZT/rJMC1dLs
FPaCibXrFAxuQnUHTQRUxpZj2tRQIt3DdYmacoZBTs+CJLsFR+AJ8dbkxA2jHqA8
h76kyHfeZ7Ul6614c2p3GYbJwaOuBwDvCTWwulvTQiIv1e1aohp6YbK86l9yxmai
NuEOQ1NFC9KNiOL+eBpI5uN0/TRGrmUiz+BAJmVGN6zpbkaF9nXGmxXhhYtDgMST
2O0M/3Sak1A1hitHViemfdfsxx8Wbuzib3PUrfvOfdUHLtO2K+S9p4za1H1HGCo=
=bSf5
-----END PGP SIGNATURE-----