https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022012-10-12T02:46:35ZOpen Information Security FoundationSuricata - Bug #600: literal \t (x09) in mod_log_confighttps://redmine.openinfosecfoundation.org/issues/600?journal_id=23562012-10-12T02:46:35ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>Ignacio Sanchez</i></li></ul> Suricata - Bug #600: literal \t (x09) in mod_log_confighttps://redmine.openinfosecfoundation.org/issues/600?journal_id=23572012-10-12T03:36:40ZIgnacio Sanchezsanchezmartin.ji@gmail.com
<ul></ul><p>The special characters are escaped by the libhtp library. I understand that Apache mod_log_config behaves slightly different, but suricata customhttplog was never meant (at least not for now) to replicate exactly mod_log_config behavior.</p>
<p>It is merely "inspired" by its syntax. In fact, there are some/many features such as %C not yet implemented (working on it...).</p>
<p>The wiki page is perhaps a little bit misleading in this regard (<a class="external" href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging</a>). I will change it to include a more detailed explanation.</p>
<p>The Feature <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Custom http logging (Closed)" href="https://redmine.openinfosecfoundation.org/issues/530">#530</a> describes better the capabilities of customhttplog and its relation with mod_log_config.<br />(<a class="external" href="https://redmine.openinfosecfoundation.org/issues/530#change-2101">https://redmine.openinfosecfoundation.org/issues/530#change-2101</a>)</p> Suricata - Bug #600: literal \t (x09) in mod_log_confighttps://redmine.openinfosecfoundation.org/issues/600?journal_id=23582012-10-12T03:49:52ZPeter Manevpetermanev@gmail.com
<ul></ul><p>Thank you Ignacio.<br />I also noticed actually - that when using custom (Apache style) http.log - the resulting log could not exactly be parsed as a lot of apache log parsers would normally do for apache itself - is it supposed work that way? Just wondering.</p> Suricata - Bug #600: literal \t (x09) in mod_log_confighttps://redmine.openinfosecfoundation.org/issues/600?journal_id=23592012-10-12T04:18:09ZIgnacio Sanchezsanchezmartin.ji@gmail.com
<ul></ul><p>As I said I never meant at this point to allow the production of an output <strong>identical</strong> to the one of mod_log_config...</p>
<p>Could you try identify what is the difference in the outputs, which causes the problem (perhaps it is the /t /n)? We can add them as feature requests, and look into them for the next enhancement. I am currently preparing one to add support for the extraction of individual cookie values, and maximum length for the extracted fields. I could add some of these missing features there as well.</p> Suricata - Bug #600: literal \t (x09) in mod_log_confighttps://redmine.openinfosecfoundation.org/issues/600?journal_id=23622012-10-12T10:28:14ZVictor Julienvictor@inliniac.net
<ul></ul><p>Ignacio Sanchez wrote:</p>
<blockquote>
<p>The special characters are escaped by the libhtp library.</p>
</blockquote>
<p>They are actually escaped in Suricata itself. Check util-buffer.[ch].</p> Suricata - Bug #600: literal \t (x09) in mod_log_confighttps://redmine.openinfosecfoundation.org/issues/600?journal_id=23642012-10-13T13:23:39ZErik Cerik.j.clark@nasa.gov
<ul></ul><p>I looked at util-buffer.h and saw the following, which mimics roughly the same behavior of mod_log_config, but not quite:</p>
<p>(from util-buffer.h)<br />----<br />Printable characters are written in the printable<br /> format and the non-printable chars are written in hex codes<br /> using the |XX| format.<br />----</p>
<p>If we could just get \t to print as whitespace and not as a hex code, that would make our lives immesurably wonderful. Thanks for the assist in this! We are looking to move to Suri possibly, and getting this would be the final piece to the puzzle!</p> Suricata - Bug #600: literal \t (x09) in mod_log_confighttps://redmine.openinfosecfoundation.org/issues/600?journal_id=23652012-10-13T15:52:53ZIgnacio Sanchezsanchezmartin.ji@gmail.com
<ul></ul><p>I have updated the custom http logging wiki page.</p>
<p><a class="external" href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Custom_http_logging</a></p>
<p>Please let me know if you find any errors in the documentation, or if you find the logging behaves in a different way.</p> Suricata - Bug #600: literal \t (x09) in mod_log_confighttps://redmine.openinfosecfoundation.org/issues/600?journal_id=23662012-10-15T03:00:39ZVictor Julienvictor@inliniac.net
<ul></ul><p>I think we can easily add another print function to create the format of mod_log_config. Ignacio, are you interested in implementing that?</p> Suricata - Bug #600: literal \t (x09) in mod_log_confighttps://redmine.openinfosecfoundation.org/issues/600?journal_id=23752012-10-16T12:56:22ZIgnacio Sanchezsanchezmartin.ji@gmail.com
<ul></ul><blockquote>
<p>I think we can easily add another print function to create the format of mod_log_config. Ignacio, are you interested in implementing that?</p>
</blockquote>
<p>Yes, ok. The feature request is <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: availability for http.log output - identical to apache log format (Closed)" href="https://redmine.openinfosecfoundation.org/issues/602">#602</a></p> Suricata - Bug #600: literal \t (x09) in mod_log_confighttps://redmine.openinfosecfoundation.org/issues/600?journal_id=36682013-10-26T10:23:12ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Bug #600: literal \t (x09) in mod_log_confighttps://redmine.openinfosecfoundation.org/issues/600?journal_id=58552015-12-22T16:14:27ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li></ul><p>fixed by <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: availability for http.log output - identical to apache log format (Closed)" href="https://redmine.openinfosecfoundation.org/issues/602">#602</a></p> Suricata - Bug #600: literal \t (x09) in mod_log_confighttps://redmine.openinfosecfoundation.org/issues/600?journal_id=87522017-10-19T00:57:12ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> deleted (<del><i>TBD</i></del>)</li></ul>