Project

General

Profile

Actions

Bug #245

closed

http.log

Added by Peter Manev almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata's HTTP.log file logs wrongly most of the time /90%/
the ip:port -> ip:port connections as being one way
i.e InternalIP:80 -> ExternalIP:port - as if the system that Suricata is installed on is a webserver and gets all requests on its port http port 80.

Use the following command on any http.log to confirm the issue:

egrep -n ':digit:{1,3}\.:digit:{1,3}\.:digit:{1,3}\.:digit:{1,3}\::digit:{1,5}' http.log | awk '{ print $1$18$19$20$21" " }'


Files

start_suricata.png (135 KB) start_suricata.png Suricata starts without issues Peter Manev, 11/16/2010 01:05 AM
Suricat_conf_opt.png (131 KB) Suricat_conf_opt.png conf for Suricata Peter Manev, 11/16/2010 01:05 AM
http.log (34.9 KB) http.log Suricata's http.log file Peter Manev, 11/16/2010 01:05 AM
grep-httplog.txt (7.78 KB) grep-httplog.txt Just the IP:Port->IP:Port requests extracted from http.log Peter Manev, 11/16/2010 01:05 AM
0001-fixed-the-incorrect-port-issue-in-http.log.patch (2.63 KB) 0001-fixed-the-incorrect-port-issue-in-http.log.patch Gurvinder Singh, 11/16/2010 10:07 AM
Actions #1

Updated by Victor Julien almost 12 years ago

  • Due date set to 11/19/2010
  • Status changed from New to Assigned
  • Assignee set to Gurvinder Singh
  • Target version set to 1.1beta1
  • Estimated time set to 1.00 h

It seems in some occasions (or many ;-)) the ports are not displayed correctly. While the log should show local_ip local_port -> webserver_ip webserver_port uri, it actually shows local_ip webserver_port -> webserver_ip local_port uri.

Actions #2

Updated by Gurvinder Singh almost 12 years ago

attached patch fixes the issue.

Actions #3

Updated by Victor Julien almost 12 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 90 to 100

Applied to my local tree with some minor changes. Thanks Gurvinder.

Actions

Also available in: Atom PDF