[Oisf-users] Correlating http transactions and alert logs

[Darren Spruell]

On Fri, Jul 11, 2014 at 12:14 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I did something like this in the past with moloch:
>
>> https://github.com/aol/moloch
>
> You can search by src IP/port and dst IP/port in order to extract the
> packet capture for that IP conversation.
>
> If you want to do something like this with suricata, just use custom
> http logging and enable the src/dst ports:
>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging
>
> It's possible you would get a collision, but unlikely if you the data
> searched is recent.

The hangup I see with this in our case is the need for granular
attribution to specific resource requests. 5-tuple based correlation
can't get it when HTTP keepalives channel many requests over same
flow.

DS



> On 7/11/2014 2:09 AM, Darren Spruell wrote:
>> Greetings,
>>
>> Request in same vein as
>> https://lists.openinfosecfoundation.org/pipermail/oisf-users/2014-January/003281.html
>>
>> I'm embarking on a task with Suricata where I'd need to specifically
>> correlate alerts to HTTP requests - namely to associate the set of
>> alerts that fire in connection with the HTTP transaction under
>> inspection. Currently Suricata logging is the only data source
>> available to do this for the environment, and I'd prefer to use EVE
>> logging.
>>
>> If I understand correctly Suricata can generate debug alerting with
>> knowledge of the transaction being handled at the moment of alert.
>> I've peeked at the debug log output and it is not appropriate for our
>> use case. Is it possible to have Suricata generate http logs (maybe
>> other service logs too?) that include data about any alerts that were
>> generated inspecting that transaction? I want to make sure we have a
>> strong correlator on these events, so attempting to match logs up by
>> timestamp or similar is potentially impractical or at the least
>> awkward and potentially fraught with #fail.
>>
>> Alternatively, is it possible to tag the transaction ID at logging
>> time into both the alert log and the http log that would allow
>> correlation on the two in a datastore?
>>
>> Or is there another way of accomplishing this?
>>
>>
>> By the way, absolutely gleeful about this performance:
>>
>> 9/7/2014 -- 19:17:33 - <Notice> - Stats for 'bond1':  pkts:
>> 18668355600, drop: 50066 (0.00%), invalid chksum: 13028
>> 11/7/2014 -- 00:52:46 - <Notice> - Stats for 'bond1':  pkts:
>> 11102827636, drop: 41230 (0.00%), invalid chksum: 10322
>>
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJTwDd9AAoJEKIFRYQsa8FWX2kH/3SgT7xyauHeCHdItftBZh2b
> 36HGD/5apTItyop3s+wKZX/kPpJh7eE6+P485cDxjNusjLfAo649eZT/rJMC1dLs
> FPaCibXrFAxuQnUHTQRUxpZj2tRQIt3DdYmacoZBTs+CJLsFR+AJ8dbkxA2jHqA8
> h76kyHfeZ7Ul6614c2p3GYbJwaOuBwDvCTWwulvTQiIv1e1aohp6YbK86l9yxmai
> NuEOQ1NFC9KNiOL+eBpI5uN0/TRGrmUiz+BAJmVGN6zpbkaF9nXGmxXhhYtDgMST
> 2O0M/3Sak1A1hitHViemfdfsxx8Wbuzib3PUrfvOfdUHLtO2K+S9p4za1H1HGCo=
> =bSf5
> -----END PGP SIGNATURE-----



-- 
Darren Spruell
phatbuckett at gmail.com