[Oisf-users] Suricata : http.log is empty

Fri Oct 9 11:59:23 UTC 2015

On 01-10-15 23:46, khushal kaviraj wrote:
> Sending again as the first mail was a bit obfuscated due to formatting
> issues.
> 
> Hi Victor,
> 
> I am using Suricata(and ELK) to capture and analyze network packets. 
> 
> I facing an issue with http packet capture. My http.log(and eve.json) is
> empty. I have verified with wireshark capture that http packets can be
> seen from the host. It’s just that suricata is not able to populate
> http.log.
> I was wondering, if you could give me some valuable inputs to
> troubleshoot this issue??
> 
> Physical setup 
> 
> 1. Packets are duplicated and sent to the Ubuntu server with suricata. A
> splitter, which sits between the border router and ISP(Similar to SPAN),
> sends the duplicate traffic to to our IDS server.
> 
> 2. We are using a SuperMicro
> <http://web/%7Edoc/progs/MoinMoin/wiki-moinmoin/moin.cgi/SuperMicro>Xenon A+
> 1042G-TF Server. A 10G FC port(eth2) is used for packet capture.
> 
> 3. All offloading is disabled as following
> 
> khushal at hermes:/var/log/suricata$ sudo ethtool -k eth2
> Features for eth2
> rx-checksumming off
> tx-checksumming off
> tx-checksum-ipv4 off
> tx-checksum-ip-generic off [fixed]
> tx-checksum-ipv6 off
> tx-checksum-fcoe-crc off [fixed]
> tx-checksum-sctp off [fixed]
> scatter-gather off
> tx-scatter-gather off
> tx-scatter-gather-fraglist off [fixed]
> tcp-segmentation-offload off
> tx-tcp-segmentation off
> tx-tcp-ecn-segmentation off [fixed]
> tx-tcp6-segmentation off
> udp-fragmentation-offload off [fixed]
> generic-segmentation-offload off
> generic-receive-offload off
> large-receive-offload off [fixed]
> rx-vlan-offload on [fixed]
> tx-vlan-offload on [fixed]
> ntuple-filters off [fixed]
> receive-hashing off
> highdma: on [fixed]
> rx-vlan-filter: on [fixed]
> vlan-challenged off [fixed]
> tx-lockless off [fixed]
> netns-local off [fixed]
> tx-gso-robust off [fixed]
> tx-fcoe-segmentation off [fixed]
> tx-gre-segmentation off [fixed]
> tx-ipip-segmentation off [fixed]
> tx-sit-segmentation off [fixed]
> tx-udp_tnl-segmentation off [fixed]
> tx-mpls-segmentation off [fixed]
> fcoe-mtu off [fixed]
> tx-nocache-copy on
> loopback off
> rx-fcs off [fixed]
> rx-all off [fixed]
> tx-vlan-stag-hw-insert off [fixed]
> rx-vlan-stag-hw-parse off [fixed]
> rx-vlan-stag-filter off [fixed]
> l2-fwd-offload off [fixed]
> khushal at hermes /var/log/suricata$ 
> 
> Currently, I am facing an issue with HTTP packet capture on eth2(FC Port).
> 
> Following are the details of this port 
> /       description: Ethernet interface/
> /       product: MT27500 Family [ConnectX-3]/
> /       vendor: Mellanox Technologies/
> /       physical id: 0/
> /       bus info: pci at 0000:03:00.0/
> /       logical name: eth2/
> /       version: 00/
> /       serial: 00:02:c9:23:12:00/
> /       width: 64 bits/
> /       clock: 33MHz/
> /       capabilities: pm vpd msix pciexpress bus_master cap_list rom
> ethernet physical fibre/
> /       configuration: autonegotiation=off broadcast=yes driver=mlx4_en
> driverversion=2.2-1 (Feb 2014) duplex=full firmware=2.11.500 latency=0
> link=yes multicast=yes port=fibre/
> /       resources: irq:24 memory:dff00000-dfffffff
> memory:dd800000-ddffffff memory:dfe00000-dfefffff/
> 
> 
> Basically eth2(FC port) is not able to capture HTTP packets. It can
> capture all types of packets except for http and the http log is empty. 
> 
> I was also facing the same issue on eth0(1G Copper port). After
> disabling offloading on eth0 and it started capturing HTTP packets.
> However, disabling offloading on eth2, does not help. 
> 
> Suricata Version :
> This is Suricata version 2.0.8 RELEASE
> 
> Please find suricata.yaml attached.
> 

Can you share a couple of records from your stats.log?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------