[Oisf-users] Http/libhtp issue Suricata 2.0 on CentOS 6

(OISF) Martijn Schoemaker oisf at ficture.nl
Thu May 1 13:16:11 UTC 2014


I have been running suricata 1.4.7 for quite some time and it's working like a charm. When I saw that suricata 2.0 supports the eve-json log format for integration with logstash I wanted to upgrade to 2.0.

I downloaded the stable 2.0 release, built it and all seemed to run fine. However, I notices the http.log was no longer modified. Further investigation showed that all http event matching, http logging (http-log and eve http log) was no longer working. I started out with the exact same config as the working 1.4.7 release, then modified the 2.0 config accordingly but it just won't work.

I also noticed it now includes libhtp 0.5.10 instead of 0.2 so I tried to build against 0.2 but that's not supported. I also built the git current release (libhtp 0.5.11), but still no go. Strange thing is that http events are also no longer matched. I run on a machine which is connected to a monitor port so it cannot be checksum offloading (I also manually disabled it on the interface and disabled checksum checking in the suricata config, but all to no avail).

Whenever I revert to the 1.4.7 release everything works again.

So I have a big suspicion that either I'm doing something terribly wrong, or the libhtp 0.5 release is not working correctly anymore.

Is there anyone who observed the same issue ?

Martijn Schoemaker

More information about the Oisf-users mailing list