[Oisf-users] HTTP Logging Update

Peter Manev petermanev at gmail.com
Wed Jun 4 20:17:22 UTC 2014


On Wed, Jun 4, 2014 at 10:08 PM, Adnan Baykal <abaykal at gmail.com> wrote:
> I have been having no HTTP logging at all on one of my sensors. I have
> posted several questions to this blog. Mind you that this sensor does drop
> significant amount of data (about 50%) and I do understand that there will
> be a lot of http traffic missed due to drops but not having any entry in the
> http.log file was concerning. I thought I would at least see some entries.
>
> This morning, I found a setting:
>
>   midstream: true             # do not allow midstream session pickups
>   async_oneside: true         # do not enable async stream handling
>
> When above setting is applied to the stream, I get limited HTTP log. My
> question is "can this change in behavior be explained by dropped packets"?
> does this change further support the theory that this box is significantly
> undersized and that the bigger box would operate normally with full http
> traffic?
>
> I am in the process of upgrading this sensor to a 32GB 20 Core system (it is
> currently 16GB 8 Core).
>
> Thanks,
>
> --Adnan
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

In general if you have significant % of drops  - you will be missing a
lot of logs.
How much traffic do you inspect with that set up? (and how many rules
do you load?)


-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list