Please include the following information with your help request:
- Suricata version
- Operating system and/or Linux distribution
- How you installed Suricata (from source, packages, something else)
Hi, I’m using suricata 6.0.14 on centos7, which is installed from source. I want to generate an alert when suricata detected http responses containing favicon.ico image content. The rule I’m using are:
alert tcp any \[80,443\] → any any (msg:“Server Response with favicon.ico Content”;content:“HTTP/1.”;content:“Content-Type: image/x-icon”; content:“|00 00 01 00|”;flow:to_client; distance:0; within:1000;sid:1000026;rev:1;)
The rule works great, but I find that in the alert, the field http_response_body and http_response_body_printable is truncated. Is there any way to persist the entire content of response body in base64 format? Thanks 
Suricata 6 is EOL, please test it first with the latest Suricata version 8 or instead with 7 which is still supported.
You might also look into the suricata.yaml where you can set the payload-buffer-size and payload-length but there are a lot of entries for example stream depth etc. that could also play a role in truncated values.
I tired to set response-body-limit and memcap for http protocol from suricata.yaml. It is strange that if I set them to a smaller integer (for instance, 10), in eve.json it truncates more in eve.json as "http_response_body_printable\":\"...... ..\",\"http_response_body\":\"AAABAAEAICAAAA==\", as expected. But if I set them to a greater number, the truncate continues without improvement. 
Hi, thanks for your quick response!
I will upgrate suricata and give feedbacks if there’s some progress.
There are other configuration parameters having an effect here : response-body-limit, stream.depth, maybe more…