Hello
We hope to record complete http information through Suricata 6.0.3 to facilitate later security analysis and traceability. At present, it is impossible to record the response body in the log according to the help document. How can I record the http response body in Suricata 6.0.3
You might be interested in this thread - Forensic mode for full logging - #3 by Jeff_Lucovsky
looks like this feature is still not merged though Forensic mode rust v1.10 by regit · Pull Request #5688 · OISF/suricata · GitHub
Though I suspect in practice this feature would be performance impacting.
However, I do believe that if an alert had fired, the alert log can be configured to contain not only the http payload, but the more generic packet payload as well
https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#alerts
There was also a talk at Suricon regarding an upcoming feature for “conditional full packet capture”
the recording of the talk can be found here - New for Suricata 7: Conditional PCAP - YouTube
2 Likes
Not sure why I didn’t think about this initially, but you might also find that the File Extraction feature could meet your needs
https://suricata.readthedocs.io/en/latest/file-extraction/file-extraction.html
Thank you very much for helping us solve a big problem.