Support #1213
closedHTTP reassembly problem - Suricata 2.0.1
Description
Hi experts!!!
I am new in suricata, so firstly I want say Hello!!.
I have configured Suricat 2.0.1 with pf_ring 5.6.1. I want use snuri to capture HTTP POST which are forwarded to my system. I have problem with configuration the output unified2-alert to store the reassembled packets. When size of HTTP POST is larger then 1500, I can see in my unified2 file that every tcp segemnt is stored as event and packet, so if HTTP POST consist of 2 tcp segments I have 2 events and 2 packets, from my point of view would be better to have only one event and packet for reassembled packet. My question is: is it possible to configure in suricata 2.0.1 output with unified2-alert to store reassembled packets ??
Files
Updated by Victor Julien almost 11 years ago
No, this is not possible. In the future there will be a log method to log the entire http headers, http body and such. But that won't use unified2.
Updated by Mateusz Pigulski almost 11 years ago
Ok, thx for answer, so I have problem..., because I need capture and log entire xml, maybe do You know any other methods to do this ??
Updated by Victor Julien almost 11 years ago
In this development code branch, there is a new option to log the payloads in json: https://github.com/inliniac/suricata/pull/991 It also logs the stream, in a single buffer. Perhaps you can help test it.
Updated by Mateusz Pigulski almost 11 years ago
- File core.27825.gz core.27825.gz added
- File suricata.yaml suricata.yaml added
Hi Victor, I have updated my suricata to 2.0.2 version, I have also add feature from: https://github.com/inliniac/suricata/pull/991, and now during I am starting suricata it generates core dump :/, Do I have to downgrade suricata to 2.0.1 version(in case of using https://github.com/inliniac/suricata/pull/991). Core dump You can find in attachment. Could You help with this issue ??
Updated by Mateusz Pigulski almost 11 years ago
Hi Victor, I think this entry cause core dump:
- eve-log:
enabled: yes
filetype: file #file|syslog|unix_dgram|unix_stream
In suricata.log I can see:30/6/2014 -- 12:19:01 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - Invalid entry for eve-log.type. Expected "regular" (default), "unix_stream", "pcie" or "unix_dgram"
When I change it on:
- eve-log:
enabled: yes
type: file #file|syslog|unix_dgram|unix_streamsuricata is running but logging of payload dosen't work...
Can You advise me what is wrong with my suricata ??
Updated by Mateusz Pigulski almost 11 years ago
it has started working, when I changed conf:
- eve-log:
enabled: yes
type: file #file|syslog|unix_dgram|unix_stream
types:
- alert:
payload: yes
payload-base64: no
packet: yesUpdated by Andreas Herz about 9 years ago
Is this still an issue as we released 3.0 and the json output advanced/improved a lot?
So if not we can close it :)
Updated by Victor Julien about 9 years ago
- Status changed from New to Closed
2.0.1 is too old to support.