[Oisf-users] How to configure suricata to log bi-directional packets?

Andreas Herz andi at geekosphere.org
Sat Feb 4 21:12:59 UTC 2017 

Hi,

first please don't hijack existing threads, send a new mail to the
mailinglist for new discussions.

Do you have a pcap for your test?

It also helps to name the suricata version, setup, how you run suricata
etc.

On 03/02/17 at 18:03, Maxim wrote:
> Hi all,
> I used the following rule to capture the bi-directional packets of a HTTP request that matches this rule
> 
> 
>         alert tcp any any -> any 80 ( msg:"test"; sid:100; flowbits:isnotset,foo; flowbits:set,foo; tag:session; content:"abc";nocase; http_uri; )
> 
> 
> I enabled unified2 output, and used postman to send a HTTP request with abc in its uri part, I could see that corresponding alert in the unified2 log file with u2spefoo, but I could not find the HTTP response in that unified2 file, am I missing anything here? I have setup a web server to respond to any requests to verify the bi-directional logging feature. Many thanks.
> 
> 
> 
> 
> 
> 
> 
> 
> At 2017-02-02 05:18:56, "Andreas Herz" <andi at geekosphere.org> wrote:
> >On 01/02/17 at 08:20, Vieri wrote:
> >> At times I get very high CPU load when running Suricata in IPS inline mode.
> >
> >With which specs Hardware/Traffic?
> >
> >> I configured iptables to load-balance NFQUEUE 0:1. I would like to know what the pros and cons are performance-wise if:
> >> 
> >> 1) I run 2 suricata processes on each queue (ie. suricata -q 0 AND suricata -q 1)
> >> 
> >> 2) I run only one suricata process on multiple queues (ie. suricata -q 0 -q 1)
> >
> >Without scientific data to support my suggestion but I played with that
> >as well and using one suricata for multiple queues wasn't really faster
> >but did use less cpu. Since suricata is multithreaded I see no need to
> >split it in two different suricata processes, especially if they have
> >the same config (despite the queue attached).
> >
> >-- 
> >Andreas Herz
> >_______________________________________________
> >Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> >List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


-- 
Andreas Herz

More information about the Oisf-users mailing list