[Oisf-users] HTTP Logging Update

Duarte Silva duarte.silva at serializing.me
Wed Jul 23 20:03:44 UTC 2014 

On Wednesday 23 July 2014 10:49:40 Cooper F. Nelson wrote:
> Do you know if the previous SPAN configuration was adding or stripping
> vlan tags?  If you use bpf filters you need to explicitly set a filter 
> for vlan traffic.  Peter Manev wrote up a guide here:
> > http://www.pevma.blogspot.se/2014/06/suricata-idps-getting-best-out-of.htm
> > l

Interesting, VLAN tags (we do mirror using VLANs) are being stripped (at least 
on the sensors were logging was working, the VLAN counter is always zero).

I will double check it though.

> I never encountered this issue as I use a VACL instead of SPAN, which
> disabled vlan tags by default.

Need to check the switch documentation for any VLAN stripping configuration in 
SPAN ports.

Thanks for the tips,
Duarte

> 
> -Coop
> 
> On 7/23/2014 10:27 AM, Duarte Silva wrote:
> > Hi,
> > 
> > today I had a problem with one of our sensors, it stopped logging HTTP and
> > DNS (no matter what logger was enabled).
> > 
> > I tried all the tricks int the book, restart, change the BPF filter,
> > disable/enable VLAN tracking, ... nothing worked.
> > 
> > I could see the packets arriving with tcpdump, Suricata was receiving the
> > packets and there were no problems (drops, gaps, ...).
> > 
> > Without any other option on the Suricata side, I decided to re-create the
> > SPAN configuration. It "magically" started to work again. I wrote
> > "magically" because I still don't know why it stopped working since the
> > switch wasn't messed with and Suricata is still running with the same
> > configuration it had before.
> > 
> > Anyway, a good thing to try if you a have a mirror port configuration :)
> > 
> > Hope it helps,
> > Duarte Silva
> > 
> > On Thursday 05 June 2014 17:42:50 Adnan Baykal wrote:
> >> Yes I did. It did not make a difference.
> >> 
> >> On June 5, 2014 4:56:25 PM EDT, Victor Julien <lists at inliniac.net> wrote:
> >>> On 06/05/2014 10:22 PM, Adnan Baykal wrote:
> >>>> when I turn on midstream, it starts logging some http traffic. So, 1
> >>>> million $ question is " WHY". What is wrong with this network/config
> >>>> that is causing this?
> >>> 
> >>> Did you try:
> >>> 
> >>> vlan:
> >>>  use-for-tracking: false
> > 
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> 
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042

More information about the Oisf-users mailing list