HTTP request header And HTTP response header NOT IN eve.json

ohh · June 29, 2023, 9:20am

suricata.yaml

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      metadata: yes
      pcap-file: false
      community-id: false
      community-id-seed: 0
      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For
      types:
        - alert:
            # payload: yes
            payload-buffer-size: 4kb
            payload-printable: yes
            # packet: yes
            metadata: yes
            # http-body: yes
            http-body-printable: yes
            tagged-packets: yes

eve.json

{
    "timestamp": "2023-06-29T09:16:12.530193+0000",
    "flow_id": 19463917013036,
    "in_iface": "ens32",
    "event_type": "alert",
    "src_ip": "192.168.2.1",
    "src_port": 49491,
    "dest_ip": "192.168.2.4",
    "dest_port": 80,
    "proto": "TCP",
    "tx_id": 0,
    "alert": {
        "action": "allowed",
        "gid": 1,
        "signature_id": 1,
        "rev": 1,
        "signature": "Access",
        "category": "Default alert rule",
        "severity": 10,
        "metadata": {
            "attack_level": [
                "0"
            ],
            "attck_x": [
                "1"
            ],
            "attck_y": [
                "T1593"
            ],
            "created_at": [
                "2022_09_29"
            ],
            "response": [
                "0"
            ]
        }
    },
    "http": {
        "hostname": "192.168.2.4",
        "url": "/",
        "http_user_agent": "PostmanRuntime/7.31.1",
        "http_content_type": "text/html",
        "http_method": "POST",
        "protocol": "HTTP/1.1",
        "status": 404,
        "length": 952,
        "http_request_body_printable": "balabala",
        "http_response_body_printable": "<html>   \r\n<head>   \r\n<title>..................</title>   \r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />   \r\n</head>   \r\n<body>   \r\n.\r\n\r\n<div align=\"center\">\r\n.......................................\r\n  ...</div>\r\n<div align=\"center\">\r\n  <font style=\"BACKGROUND-COLOR: #fffffd\" color=\"#0000ff\" size=\"4\"></font></div>\r\n\r\n\r\n\r\n<table>   \r\n  <tbody>   \r\n    <tr>   \r\n      <td>   \r\n     \r\n      <hr>      </td>   \r\n    </tr>   \r\n    <tr>   \r\n      <td></td>   \r\n    </tr>   \r\n    <tr>   \r\n      <td>   \r\n     </TD>   \r\n    </TR>   \r\n      <TD>   \r\n      <HR>      </TD>   \r\n    </TR>   \r\n  </TBODY>   \r\n</TABLE>   \r\n\r\n<table>   \r\n  <tbody>   \r\n    <tr>   \r\n      <td>   \r\n     \r\n      <hr>      </td>   \r\n    </tr>   \r\n    <tr>   \r\n      <td></td>   \r\n    </tr>   \r\n    <tr>   \r\n      <td>   \r\n     </TD>   \r\n    </TR>   \r\n      <TD>   \r\n      <HR>      </TD>   \r\n    </TR>   \r\n  </TBODY>   \r\n</TABLE>  \r\n\r\n  \r\n\r\n</body>   \r\n</html>"
    },
    "files": [
        {
            "filename": "/",
            "sid": [],
            "gaps": false,
            "state": "CLOSED",
            "stored": false,
            "size": 8,
            "tx_id": 0
        }
    ],
    "app_proto": "http",
    "flow": {
        "pkts_toserver": 4,
        "pkts_toclient": 4,
        "bytes_toserver": 524,
        "bytes_toclient": 1372,
        "start": "2023-06-29T09:16:12.526380+0000"
    },
    "payload_printable": "POST / HTTP/1.1\r\nContent-Type: text/plain\r\nUser-Agent: PostmanRuntime/7.31.1\r\nAccept: */*\r\nPostman-Token: 64706fb9-23d7-40b4-8ae7-e2d805d93413\r\nHost: 192.168.2.4\r\nAccept-Encoding: gzip, deflate, br\r\nConnection: keep-alive\r\nContent-Length: 8\r\n\r\nbalabala",
    "stream": 1
}

I want the request and response headers to be displayed in “http”, but they are not included above.

I hope eve.log to look like this.

sbhardwaj · June 30, 2023, 6:44am

Hi!

I believe the settings you’re looking for are mentioned in 16.1.1. Eve JSON Output — Suricata 6.0.13 documentation
Could you please try this and let us know if you’re able to see the headers then?

ohh · July 2, 2023, 4:24am

Thanks for your answer, I know the configuration item of this document, but it doesn’t match my expectation. I hope that the HTTP Request Header and HTTP Response Header are included in the JSON of the ALERT instead of a separate JSON.

Philippe_Antoine · July 3, 2023, 8:48am

So, you get request_headers for event_type==http, but not for event_type==alert

Do I get this correctly ?

ohh · July 3, 2023, 11:41am

Yes! I want the request_headers to be in event_type==alert.

Philippe_Antoine · July 3, 2023, 12:22pm

Indeed, it is not the case, it would be a new feature

EveHttpAddMetadata (for alert events) does not call EveHttpLogJSONHeaders as EveHttpLogJSON (for http event) does

I think this is because the alert logger does not know about the value of the flag LOG_HTTP_REQ_HEADERS (which comes from parsing the suricata.yaml at the http event logger initialization)

Could you create a redmine ticket for this feature ? And a contribution would be welcome

ohh · July 3, 2023, 3:23pm

I’m very sorry, I’m currently limited, so I can’t help you with this.

Philippe_Antoine · July 5, 2023, 12:59pm

ohh · August 21, 2023, 9:29am

Thank you very much!
I’m looking forward to it!

Topic		Replies	Views
Eve JSON Output with configuration : packet: yes Help centos	2	1023	August 28, 2021
Eve.json with 'weird' output and no ALERTS Help	1	425	December 8, 2021
Http alert are often lost Help suricata	1	455	October 21, 2022
Eve.json only shows "event_type":"flow" Help	7	1365	October 22, 2020
Suricata Sending Request & Response Bodies in multiple events due to alert rule Rules rules , suricata	3	138	April 25, 2024

HTTP request header And HTTP response header NOT IN eve.json

Related Topics