Http alert are often lost

ohh · October 20, 2022, 7:55am

I use lua to write a script that saves http request headers, request body, etc. This script can run normally and record http request logs through the specified network card.

suricata.yaml：

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      metadata: yes
      pcap-file: false
      community-id: false
      community-id-seed: 0
      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For
      types:
        - alert:
            # payload: yes
            # payload-buffer-size: 4kb
            # payload-printable: yes
            # packet: yes
            metadata: yes
            # http-body: yes
            # http-body-printable: yes
            tagged-packets: yes
        - lua:
            enabled: yes
            scripts-dir: /opt/suricata/lua
            scripts:
              - http.lua

app-layer:
  protocols:
    http:
      enabled: yes
      libhtp:
        default-config:
          personality: IDS
          request-body-limit: 100kb
          response-body-limit: 100kb
          request-body-minimal-inspect-size: 32kb
          request-body-inspect-window: 4kb
          response-body-minimal-inspect-size: 40kb
          response-body-inspect-window: 16kb
          response-body-decompress-layer-limit: 2
          http-body-inline: auto
          swf-decompression:
            enabled: yes
            type: both
            compress-depth: 100kb
            decompress-depth: 100kb
          double-decode-path: no
          double-decode-query: no
        server-config:

stream:
  memcap: 128mb
  checksum-validation: yes
  inline: no
  memcap-policy: ignore
  reassembly:
    memcap: 256mb
    depth: 1mb
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560

I use the following rule to record alerts for web page visits.

alert http any any -> any $HTTP_PORTS (msg:"Web access."; flow:established, to_server; content:"/"; http_uri; sid:1; rev:1;)

However, this rule sometimes does not produce warnings in eve.json normally.

The details are as follows:

When using a browser to access the webpage, the alarm is often lost.
Test with different browsers, all have this problem. Tested browsers include Chrome, Firefox, Edge.
When using Postman to send the same request, the alarm must be generated and not lost.
Every time I visit, I will pay attention to the content recorded in the lua script, and I make sure that every request produces the HTTP request header, request body and other content.

So, I’m not sure if it’s a browser issue, or a suricata issue.

Hope you all can help me. Thanks.

Andreas_Herz · October 21, 2022, 9:12am

What version are you running and how?

You could add http to the types to get event type http in eve json as well and compare it. With that you can at least make sure if the http event actually was parsed and used. With that you can compare it to the alert and also your lua script.