Bug #245
closedhttp.log
Description
Suricata's HTTP.log file logs wrongly most of the time /90%/
the ip:port -> ip:port connections as being one way
i.e InternalIP:80 -> ExternalIP:port - as if the system that Suricata is installed on is a webserver and gets all requests on its port http port 80.
Use the following command on any http.log to confirm the issue:
egrep -n ':digit:{1,3}\.:digit:{1,3}\.:digit:{1,3}\.:digit:{1,3}\::digit:{1,5}' http.log | awk '{ print $1$18$19$20$21" " }'
Files
Updated by Victor Julien about 14 years ago
- Due date set to 11/19/2010
- Status changed from New to Assigned
- Assignee set to Gurvinder Singh
- Target version set to 1.1beta1
- Estimated time set to 1.00 h
It seems in some occasions (or many ;-)) the ports are not displayed correctly. While the log should show local_ip local_port -> webserver_ip webserver_port uri, it actually shows local_ip webserver_port -> webserver_ip local_port uri.
Updated by Gurvinder Singh about 14 years ago
- File 0001-fixed-the-incorrect-port-issue-in-http.log.patch 0001-fixed-the-incorrect-port-issue-in-http.log.patch added
- Status changed from Assigned to Resolved
- % Done changed from 0 to 90
attached patch fixes the issue.
Updated by Victor Julien about 14 years ago
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Applied to my local tree with some minor changes. Thanks Gurvinder.