Bug #245
closed
Added by Peter Manev about 14 years ago.
Updated about 14 years ago.
Description
Suricata's HTTP.log file logs wrongly most of the time /90%/
the ip:port -> ip:port connections as being one way
i.e InternalIP:80 -> ExternalIP:port - as if the system that Suricata is installed on is a webserver and gets all requests on its port http port 80.
Use the following command on any http.log to confirm the issue:
egrep -n ':digit:{1,3}\.:digit:{1,3}\.:digit:{1,3}\.:digit:{1,3}\::digit:{1,5}' http.log | awk '{ print $1$18$19$20$21" " }'
Files
- Due date set to 11/19/2010
- Status changed from New to Assigned
- Assignee set to Gurvinder Singh
- Target version set to 1.1beta1
- Estimated time set to 1.00 h
It seems in some occasions (or many ;-)) the ports are not displayed correctly. While the log should show local_ip local_port -> webserver_ip webserver_port uri, it actually shows local_ip webserver_port -> webserver_ip local_port uri.
attached patch fixes the issue.
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Applied to my local tree with some minor changes. Thanks Gurvinder.
Also available in: Atom
PDF
