[Oisf-users] question about http eve log data source/dest flip

Victor Julien lists at inliniac.net
Thu Feb 1 14:17:19 UTC 2018


On 01-02-18 14:59, jason taylor wrote:
> We started seeing some of our http traffic source and destination data
> flipped. 
> 
> I looked through the redmine tickets and didn't see anything similar so
> figured I would check in with folks here to see if anyone else has run
> across this.
> 
> As far as we can tell it appears to happen when a client is going to
> port 443/ssl traffic through our proxies.
> 
> flow data source and destination are correct so it appears to maybe be
> related to http parsing.
> 
> Attached are the suricata build information, json log data and pcap.
> 
> Let me know if there is any other information that would be useful.

I can confirm the issue with your pcap. Can you open a ticket?

Thanks!

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list