[Oisf-users] Suricata : http.log is empty
khushal kaviraj
khushal08 at yahoo.com
Wed Oct 7 22:38:13 UTC 2015
Hi Peter/Victor,
Can you please help me with this issue?Do you support 10G Mellanox card??
Thanks, Khushal
From: khushal kaviraj <khushal08 at yahoo.com>
To: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Sent: Friday, 2 October 2015 7:46 AM
Subject: Suricata : http.log is empty
Sending again as the first mail was a bit obfuscated due to formatting issues.
Hi Victor,
I am using Suricata(and ELK) to capture and analyze network packets.
I facing an issue with http packet capture. My http.log(and eve.json) is empty. I have verified with wireshark capture that http packets can be seen from the host. It’s just that suricata is not able to populate http.log.I was wondering, if you could give me some valuable inputs to troubleshoot this issue??
Physical setup
1. Packets are duplicated and sent to the Ubuntu server with suricata. A splitter, which sits between the border router and ISP(Similar to SPAN), sends the duplicate traffic to to our IDS server.
2. We are using a SuperMicro Xenon A+ 1042G-TF Server. A 10G FC port(eth2) is used for packet capture.
3. All offloading is disabled as following
khushal at hermes:/var/log/suricata$ sudo ethtool -k eth2Features for eth2rx-checksumming offtx-checksumming off tx-checksum-ipv4 off tx-checksum-ip-generic off [fixed] tx-checksum-ipv6 off tx-checksum-fcoe-crc off [fixed] tx-checksum-sctp off [fixed]scatter-gather off tx-scatter-gather off tx-scatter-gather-fraglist off [fixed]tcp-segmentation-offload off tx-tcp-segmentation off tx-tcp-ecn-segmentation off [fixed] tx-tcp6-segmentation offudp-fragmentation-offload off [fixed]generic-segmentation-offload offgeneric-receive-offload offlarge-receive-offload off [fixed]rx-vlan-offload on [fixed]tx-vlan-offload on [fixed]ntuple-filters off [fixed]receive-hashing offhighdma: on [fixed]rx-vlan-filter: on [fixed]vlan-challenged off [fixed]tx-lockless off [fixed]netns-local off [fixed]tx-gso-robust off [fixed]tx-fcoe-segmentation off [fixed]tx-gre-segmentation off [fixed]tx-ipip-segmentation off [fixed]tx-sit-segmentation off [fixed]tx-udp_tnl-segmentation off [fixed]tx-mpls-segmentation off [fixed]fcoe-mtu off [fixed]tx-nocache-copy onloopback offrx-fcs off [fixed]rx-all off [fixed]tx-vlan-stag-hw-insert off [fixed]rx-vlan-stag-hw-parse off [fixed]rx-vlan-stag-filter off [fixed]l2-fwd-offload off [fixed]khushal at hermes /var/log/suricata$
Currently, I am facing an issue with HTTP packet capture on eth2(FC Port).
Following are the details of this port description: Ethernet interface product: MT27500 Family [ConnectX-3] vendor: Mellanox Technologies physical id: 0 bus info: pci at 0000:03:00.0 logical name: eth2 version: 00 serial: 00:02:c9:23:12:00 width: 64 bits clock: 33MHz capabilities: pm vpd msix pciexpress bus_master cap_list rom ethernet physical fibre configuration: autonegotiation=off broadcast=yes driver=mlx4_en driverversion=2.2-1 (Feb 2014) duplex=full firmware=2.11.500 latency=0 link=yes multicast=yes port=fibre resources: irq:24 memory:dff00000-dfffffff memory:dd800000-ddffffff memory:dfe00000-dfefffff
Basically eth2(FC port) is not able to capture HTTP packets. It can capture all types of packets except for http and the http log is empty.
I was also facing the same issue on eth0(1G Copper port). After disabling offloading on eth0 and it started capturing HTTP packets. However, disabling offloading on eth2, does not help.
Suricata Version :This is Suricata version 2.0.8 RELEASE
Please find suricata.yaml attached.
Thanks, Khushal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151007/d08c6603/attachment-0002.html>
More information about the Oisf-users
mailing list