After reading the docs, i only found the way to record all the headers in http (by using dump-all-headers: both)
But in the source code of suricata output-json-http.c, i found some keyword like http_request_body or http_response_body in function EveHttpLogJSONBodyBase64
So i think it must be some ways to record all the body data in request or response
Verstion, 6.0.3
yaml configure uploaded
suricata.yaml (70.9 KB)
:
(the keywords like all-log、mac-log、url-suffix-filter、http-body-store in http section was come from others, but i don’t konw whether it work or not )
Hi,
I don’t know if you mean this.
I use this configuration in the .yaml:
- http:
extended: yes # enable this for extended logging information
# custom allows additional HTTP fields to be included in eve-log.
# the example below adds three additional fields when uncommented
#custom: [Accept-Encoding, Accept-Language, Authorization]
custom: [accept, accept-charset, accept-encoding, accept-language,
accept-datetime, authorization, cache-control, cookie, from,
max-forwards, origin, pragma, proxy-authorization, range, te, via,
x-requested-with, dnt, x-forwarded-proto, accept-range, age,
allow, connection, content-encoding, content-language,
content-length, content-location, content-md5, content-range,
content-type, date, etags, last-modified, link, location,
proxy-authenticate, referrer, refresh, retry-after, server,
set-cookie, trailer, transfer-encoding, upgrade, vary, warning,
www-authenticate, x-flash-version, x-authenticated-user]
# set this value to one and only one from {both, request, response}
# to dump all HTTP headers for every HTTP request and/or response
# dump-all-headers: none