[Oisf-users] HTTP Logging Update

Cooper F. Nelson cnelson at ucsd.edu
Wed Jul 23 17:49:40 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Do you know if the previous SPAN configuration was adding or stripping
vlan tags?  If you use bpf filters you need to explicitly set a filter
for vlan traffic.  Peter Manev wrote up a guide here:

> http://www.pevma.blogspot.se/2014/06/suricata-idps-getting-best-out-of.html

I never encountered this issue as I use a VACL instead of SPAN, which
disabled vlan tags by default.

- -Coop

On 7/23/2014 10:27 AM, Duarte Silva wrote:
> Hi,
> 
> today I had a problem with one of our sensors, it stopped logging HTTP and DNS 
> (no matter what logger was enabled).
> 
> I tried all the tricks int the book, restart, change the BPF filter, 
> disable/enable VLAN tracking, ... nothing worked.
> 
> I could see the packets arriving with tcpdump, Suricata was receiving the 
> packets and there were no problems (drops, gaps, ...).
> 
> Without any other option on the Suricata side, I decided to re-create the SPAN 
> configuration. It "magically" started to work again. I wrote "magically" 
> because I still don't know why it stopped working since the switch wasn't 
> messed with and Suricata is still running with the same configuration it had 
> before.
> 
> Anyway, a good thing to try if you a have a mirror port configuration :)
> 
> Hope it helps,
> Duarte Silva
> 
> On Thursday 05 June 2014 17:42:50 Adnan Baykal wrote:
>> Yes I did. It did not make a difference.
>>
>> On June 5, 2014 4:56:25 PM EDT, Victor Julien <lists at inliniac.net> wrote:
>>> On 06/05/2014 10:22 PM, Adnan Baykal wrote:
>>>> when I turn on midstream, it starts logging some http traffic. So, 1
>>>> million $ question is " WHY". What is wrong with this network/config
>>>> that is causing this?
>>>
>>> Did you try:
>>>
>>> vlan:
>>>  use-for-tracking: false
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTz/W0AAoJEKIFRYQsa8FWzjAH/iZq01+R9fEMA5E5aoaMiym4
4fAwFEc54iyyC1zTMjE2gcbEsIkliCY03DgPTdt/fPW2SDux8cBMwzHuXHB7TlhF
eLXiE16BZrEWk4KoNuf5i7tsXIr/1xZdYmbl6b9hft4/9a0aK74E/f5v9/IzvBXR
2sn/DfN2H3ZNtDLHiku5rs433xXf7Ei/TF7+QPBNTGLFjB4b8I5JKPe5yqC/seKR
z/GHf1Zsn/jmM9Klg/J4yvciv95HGGwIby/HC+2IwElb2VdNe9PvLP8+s4upyfPx
ZxJu7Jptj1h5l16CPJqWmSpxfHXRyJqAzp43eUNi1fsth38sYYF/HLKRJ418eso=
=i1qh
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list