[Oisf-users] How to configure suricata to log bi-directional packets?

Maxim hittlle at 163.com
Fri Feb 3 10:03:35 UTC 2017


Hi all,
I used the following rule to capture the bi-directional packets of a HTTP request that matches this rule


        alert tcp any any -> any 80 ( msg:"test"; sid:100; flowbits:isnotset,foo; flowbits:set,foo; tag:session; content:"abc";nocase; http_uri; )


I enabled unified2 output, and used postman to send a HTTP request with abc in its uri part, I could see that corresponding alert in the unified2 log file with u2spefoo, but I could not find the HTTP response in that unified2 file, am I missing anything here? I have setup a web server to respond to any requests to verify the bi-directional logging feature. Many thanks.








At 2017-02-02 05:18:56, "Andreas Herz" <andi at geekosphere.org> wrote:
>On 01/02/17 at 08:20, Vieri wrote:
>> At times I get very high CPU load when running Suricata in IPS inline mode.
>
>With which specs Hardware/Traffic?
>
>> I configured iptables to load-balance NFQUEUE 0:1. I would like to know what the pros and cons are performance-wise if:
>> 
>> 1) I run 2 suricata processes on each queue (ie. suricata -q 0 AND suricata -q 1)
>> 
>> 2) I run only one suricata process on multiple queues (ie. suricata -q 0 -q 1)
>
>Without scientific data to support my suggestion but I played with that
>as well and using one suricata for multiple queues wasn't really faster
>but did use less cpu. Since suricata is multithreaded I see no need to
>split it in two different suricata processes, especially if they have
>the same config (despite the queue attached).
>
>-- 
>Andreas Herz
>_______________________________________________
>Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170203/b5744d10/attachment-0002.html>


More information about the Oisf-users mailing list