Project

General

Profile

Actions
Copy link

Support #1213

closed
MP

HTTP reassembly problem - Suricata 2.0.1

Support #1213: HTTP reassembly problem - Suricata 2.0.1

Added by Mateusz Pigulski about 12 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Hi experts!!!

I am new in suricata, so firstly I want say Hello!!.
I have configured Suricat 2.0.1 with pf_ring 5.6.1. I want use snuri to capture HTTP POST which are forwarded to my system. I have problem with configuration the output unified2-alert to store the reassembled packets. When size of HTTP POST is larger then 1500, I can see in my unified2 file that every tcp segemnt is stored as event and packet, so if HTTP POST consist of 2 tcp segments I have 2 events and 2 packets, from my point of view would be better to have only one event and packet for reassembled packet. My question is: is it possible to configure in suricata 2.0.1 output with unified2-alert to store reassembled packets ??

Files

Download all files
core.27825.gz (1.17 MB) core.27825.gz Mateusz Pigulski, 06/27/2014 01:55 PM
suricata.yaml (47.3 KB) suricata.yaml Mateusz Pigulski, 06/27/2014 02:00 PM

VJ Updated by Victor Julien about 12 years ago Actions
Copy link
 #1

No, this is not possible. In the future there will be a log method to log the entire http headers, http body and such. But that won't use unified2.

MP Updated by Mateusz Pigulski almost 12 years ago Actions
Copy link
 #2

Ok, thx for answer, so I have problem..., because I need capture and log entire xml, maybe do You know any other methods to do this ??

VJ Updated by Victor Julien almost 12 years ago Actions
Copy link
 #3

In this development code branch, there is a new option to log the payloads in json: https://github.com/inliniac/suricata/pull/991 It also logs the stream, in a single buffer. Perhaps you can help test it.

MP Updated by Mateusz Pigulski almost 12 years ago Actions
Copy link
 #4

thank You, I will test it

MP Updated by Mateusz Pigulski almost 12 years ago Actions
Copy link Download all files
 #5

Hi Victor, I have updated my suricata to 2.0.2 version, I have also add feature from: https://github.com/inliniac/suricata/pull/991, and now during I am starting suricata it generates core dump :/, Do I have to downgrade suricata to 2.0.1 version(in case of using https://github.com/inliniac/suricata/pull/991). Core dump You can find in attachment. Could You help with this issue ??

MP Updated by Mateusz Pigulski almost 12 years ago Actions
Copy link
 #6

Hi Victor, I think this entry cause core dump:

- eve-log:
      enabled: yes
      filetype: file #file|syslog|unix_dgram|unix_stream
In suricata.log I can see:

30/6/2014 -- 12:19:01 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid entry for eve-log.type. Expected "regular" (default), "unix_stream", "pcie" or "unix_dgram"

When I change it on:

- eve-log:
      enabled: yes
      type: file #file|syslog|unix_dgram|unix_stream

suricata is running but logging of payload dosen't work...
Can You advise me what is wrong with my suricata ??

MP Updated by Mateusz Pigulski almost 12 years ago Actions
Copy link
 #7

it has started working, when I changed conf:

- eve-log:
enabled: yes
type: file #file|syslog|unix_dgram|unix_stream

types:
        - alert:
            payload: yes
            payload-base64: no
            packet: yes

AH Updated by Andreas Herz over 10 years ago Actions
Copy link
 #8

Is this still an issue as we released 3.0 and the json output advanced/improved a lot?
So if not we can close it :)

MP Updated by Mateusz Pigulski over 10 years ago Actions
Copy link
 #9

Hi, I didn't upgrade my suricata

VJ Updated by Victor Julien over 10 years ago Actions
Copy link
 #10

  • Status changed from New to Closed

2.0.1 is too old to support.

Actions
Copy link

Also available in: PDF Atom