Please include the following information with your help request:
- Suricata 7.0.7 from source
- Ubuntu
when i check json format http log http_method contains weird value ,in picture all i erased were only characters, looks like sometimes real method will in end of line sometimes not, i wonder is anywhere configure i put wrong or how i can fix problem, tks
Would you have a pcap to reproduce ?
1 Like
i tried what you said, but when i reproduce pcap which contain a same request , it did not happen, looks like it only appears in real time parse, i wonder is somewhere i configured wrong about http parse, or how can i troubleshooting to reduce this kind of problem, my ec2 machine : 8 core 16gb ram with suricata 7.0.7, mirror traffic size is currently about 1g,here is my config file,thanks a lot about your help
suricata.yaml (95.5 KB)
in many error real time parse result ,there is no url or miss some fied like hostname or like /libhtp:url_not_seen or so i guess maybe somewhere configuration need enhancement
Please provide:
suricata.logstats.log- run command of Suricata
suricata --build-info
/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml -k none
my mirror traffic all wrapped by geneve and vxlan like this
stats.log (1.9 MB)
build_info.log (3.9 KB)
suricata.log (3.3 KB)
The multiple layers could be an issue, could you try to reproduce it with a pcap and -r file.pcap run?
i tried with -r to reproduce pcap which contain a same request , but parse is correct