[Oisf-users] HTTP Logging Update

Cooper F. Nelson cnelson at ucsd.edu
Wed Jul 23 17:49:40 UTC 2014

Hash: SHA1

Do you know if the previous SPAN configuration was adding or stripping
vlan tags?  If you use bpf filters you need to explicitly set a filter
for vlan traffic.  Peter Manev wrote up a guide here:

> http://www.pevma.blogspot.se/2014/06/suricata-idps-getting-best-out-of.html

I never encountered this issue as I use a VACL instead of SPAN, which
disabled vlan tags by default.

- -Coop

On 7/23/2014 10:27 AM, Duarte Silva wrote:
> Hi,
> today I had a problem with one of our sensors, it stopped logging HTTP and DNS 
> (no matter what logger was enabled).
> I tried all the tricks int the book, restart, change the BPF filter, 
> disable/enable VLAN tracking, ... nothing worked.
> I could see the packets arriving with tcpdump, Suricata was receiving the 
> packets and there were no problems (drops, gaps, ...).
> Without any other option on the Suricata side, I decided to re-create the SPAN 
> configuration. It "magically" started to work again. I wrote "magically" 
> because I still don't know why it stopped working since the switch wasn't 
> messed with and Suricata is still running with the same configuration it had 
> before.
> Anyway, a good thing to try if you a have a mirror port configuration :)
> Hope it helps,
> Duarte Silva
> On Thursday 05 June 2014 17:42:50 Adnan Baykal wrote:
>> Yes I did. It did not make a difference.
>> On June 5, 2014 4:56:25 PM EDT, Victor Julien <lists at inliniac.net> wrote:
>>> On 06/05/2014 10:22 PM, Adnan Baykal wrote:
>>>> when I turn on midstream, it starts logging some http traffic. So, 1
>>>> million $ question is " WHY". What is wrong with this network/config
>>>> that is causing this?
>>> Did you try:
>>> vlan:
>>>  use-for-tracking: false
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list