[Oisf-users] question about http eve log data source/dest flip

jason taylor jtfas90 at gmail.com
Thu Feb 1 14:37:06 UTC 2018


On Thu, 2018-02-01 at 15:17 +0100, Victor Julien wrote:
> On 01-02-18 14:59, jason taylor wrote:
> > We started seeing some of our http traffic source and destination
> > data
> > flipped. 
> > 
> > I looked through the redmine tickets and didn't see anything
> > similar so
> > figured I would check in with folks here to see if anyone else has
> > run
> > across this.
> > 
> > As far as we can tell it appears to happen when a client is going
> > to
> > port 443/ssl traffic through our proxies.
> > 
> > flow data source and destination are correct so it appears to maybe
> > be
> > related to http parsing.
> > 
> > Attached are the suricata build information, json log data and
> > pcap.
> > 
> > Let me know if there is any other information that would be useful.
> 
> I can confirm the issue with your pcap. Can you open a ticket?
> 
> Thanks!
> 
Done.

https://redmine.openinfosecfoundation.org/issues/2430

Thanks!

JT



More information about the Oisf-users mailing list