suricata.yaml
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
metadata: yes
pcap-file: false
community-id: false
community-id-seed: 0
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
types:
- alert:
# payload: yes
payload-buffer-size: 4kb
payload-printable: yes
# packet: yes
metadata: yes
# http-body: yes
http-body-printable: yes
tagged-packets: yes
eve.json
{
"timestamp": "2023-06-29T09:16:12.530193+0000",
"flow_id": 19463917013036,
"in_iface": "ens32",
"event_type": "alert",
"src_ip": "192.168.2.1",
"src_port": 49491,
"dest_ip": "192.168.2.4",
"dest_port": 80,
"proto": "TCP",
"tx_id": 0,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1,
"rev": 1,
"signature": "Access",
"category": "Default alert rule",
"severity": 10,
"metadata": {
"attack_level": [
"0"
],
"attck_x": [
"1"
],
"attck_y": [
"T1593"
],
"created_at": [
"2022_09_29"
],
"response": [
"0"
]
}
},
"http": {
"hostname": "192.168.2.4",
"url": "/",
"http_user_agent": "PostmanRuntime/7.31.1",
"http_content_type": "text/html",
"http_method": "POST",
"protocol": "HTTP/1.1",
"status": 404,
"length": 952,
"http_request_body_printable": "balabala",
"http_response_body_printable": "<html> \r\n<head> \r\n<title>..................</title> \r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /> \r\n</head> \r\n<body> \r\n.\r\n\r\n<div align=\"center\">\r\n.......................................\r\n ...</div>\r\n<div align=\"center\">\r\n <font style=\"BACKGROUND-COLOR: #fffffd\" color=\"#0000ff\" size=\"4\"></font></div>\r\n\r\n\r\n\r\n<table> \r\n <tbody> \r\n <tr> \r\n <td> \r\n \r\n <hr> </td> \r\n </tr> \r\n <tr> \r\n <td></td> \r\n </tr> \r\n <tr> \r\n <td> \r\n </TD> \r\n </TR> \r\n <TD> \r\n <HR> </TD> \r\n </TR> \r\n </TBODY> \r\n</TABLE> \r\n\r\n<table> \r\n <tbody> \r\n <tr> \r\n <td> \r\n \r\n <hr> </td> \r\n </tr> \r\n <tr> \r\n <td></td> \r\n </tr> \r\n <tr> \r\n <td> \r\n </TD> \r\n </TR> \r\n <TD> \r\n <HR> </TD> \r\n </TR> \r\n </TBODY> \r\n</TABLE> \r\n\r\n \r\n\r\n</body> \r\n</html>"
},
"files": [
{
"filename": "/",
"sid": [],
"gaps": false,
"state": "CLOSED",
"stored": false,
"size": 8,
"tx_id": 0
}
],
"app_proto": "http",
"flow": {
"pkts_toserver": 4,
"pkts_toclient": 4,
"bytes_toserver": 524,
"bytes_toclient": 1372,
"start": "2023-06-29T09:16:12.526380+0000"
},
"payload_printable": "POST / HTTP/1.1\r\nContent-Type: text/plain\r\nUser-Agent: PostmanRuntime/7.31.1\r\nAccept: */*\r\nPostman-Token: 64706fb9-23d7-40b4-8ae7-e2d805d93413\r\nHost: 192.168.2.4\r\nAccept-Encoding: gzip, deflate, br\r\nConnection: keep-alive\r\nContent-Length: 8\r\n\r\nbalabala",
"stream": 1
}
I want the request and response headers to be displayed in “http”, but they are not included above.
I hope eve.log to look like this.