I am new to Suricata and I am trying to capture HTTP traffic in forensic mode. When I send large bodies, Suricata is not logging the complete response body in the eve log. My request body is about 60k bytes log which gets reflected by the server which makes the response body also 60k bytes long. I get the complete request body in http_request_body field. However, the http_response_body field in the http alert only contains part of the response body. It only captures the first 36k bytes of the response body. I suspect I must be missing some configuration that allows it to capture the complete body. The bytes to_server and to_client should be roughly the same because the server is just reflecting the body. But those values are not the same.
My setup consists of a Python HTTP server running on the same host as Suricata. I am posting data to the HTTP server via the curl command. The curl command is receiving the complete response body before closing the connection. Any help is appreciated.
Suricata Version: 7.0.2 (docker)
Linux Distro: Ubuntu 20.04
# payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
# metadata: yes # enable inclusion of app layer metadata. Default yes
http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
# http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
Please include the following information with your help request:
- Suricata version
- Operating system and/or Linux distribution
- How you installed Suricata (from source, packages, something else)