[Oisf-users] question about unix_stream and http-logs

jason taylor jtfas90 at gmail.com
Thu Feb 16 17:13:32 UTC 2017


On Thu, 2017-02-16 at 09:46 -0500, jason taylor wrote:
> On Wed, 2017-02-15 at 21:53 +0100, Andreas Herz wrote:
> > On 15/02/17 at 15:44, jason taylor wrote:
> > > On Wed, 2017-02-15 at 21:24 +0100, Andreas Herz wrote:
> > > > On 14/02/17 at 08:06, jason taylor wrote:
> > > > > We use the following config snippet on our sensors and
> > > > > recently
> > > > > noticed
> > > > > that if our application (logstash) is unable to send the
> > > > > unix_stream
> > > > > events to the logstash destination, suricata will stop firing
> > > > > alerts.
> > > > 
> > > > Every alerts or just the ones for the unix socket?
> > > > 
> > > > > Is this expected behavior?
> > > > 
> > > > Not sure
> > > > 
> > > > > I am not sure what other information here would be useful, so
> > > > > just
> > > > > let
> > > > > me know what else would be needed.
> > > > 
> > > > What version of suricata are you using?
> > > 
> > > 3.1.2 from EPEL
> > > 
> > 
> > Could you test with 3.2.1 as well?
> 
> Yep, I sure can. I should be able to do this today.
> 
> > > > What happens if the app is able to work again?
> > > > 
> > > 
> > > Suricata generally processes alerts again if logstash starts
> > > sending
> > > data off the socket again. However, suricata doesn't always and
> > > sometimes requires a restart.
> > 
> > So you see that alerts at all stop not just the ones for the
> > http.log
> > so
> > if that is still the same with 3.2.1 please fill a bug report at
> > our
> > redmine.
> > 
It is reproduceable on 3.2.1. I will file a bug report.

> > If possible try to find a "easy" way to trigger/reproduce it.
> 
> It's pretty easy to test, just enable http-log, set the filetype to
> unix_stream. After a period of time suricata will appear to stop
> processing traffic/rules.
> 
> 
> > Thanks
> > 
> 
> 

JT



More information about the Oisf-users mailing list