Incomplete response body in eve log

Hi,
I am new to Suricata and I am trying to capture HTTP traffic in forensic mode. When I send large bodies, Suricata is not logging the complete response body in the eve log. My request body is about 60k bytes log which gets reflected by the server which makes the response body also 60k bytes long. I get the complete request body in http_request_body field. However, the http_response_body field in the http alert only contains part of the response body. It only captures the first 36k bytes of the response body. I suspect I must be missing some configuration that allows it to capture the complete body. The bytes to_server and to_client should be roughly the same because the server is just reflecting the body. But those values are not the same.

"bytes_toserver":60575,"bytes_toclient":36767

My setup consists of a Python HTTP server running on the same host as Suricata. I am posting data to the HTTP server via the curl command. The curl command is receiving the complete response body before closing the connection. Any help is appreciated.

Dk.

Suricata Version: 7.0.2 (docker)
Linux Distro: Ubuntu 20.04

suricata.yaml:

      types:
        - alert:
            # payload: yes             # enable dumping payload in Base64
            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
            # payload-printable: yes   # enable dumping payload in printable (lossy) format
            # packet: yes              # enable dumping of packet (without stream segments)
            # metadata: yes            # enable inclusion of app layer metadata. Default yes
            http-body: yes             # Requires metadata; enable dumping of HTTP body in Base64
            # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in          printable format

Please include the following information with your help request:

  • Suricata version
  • Operating system and/or Linux distribution
  • How you installed Suricata (from source, packages, something else)

Please post the full suricata.yaml along the run commands that you use, stats.log and if possible the pcap as well.

You could also check the http app layer section where you can define the limits and adjust the values within the libhtp part.

Hi Andreas,
Thanks for taking the time to respond to me. I am using stock suricata.yaml except for body logging config I showed above. I tried playing with the numbers under libhtp section but did not have any luck. Here’s the tar.gz link that includes both the full yaml and the pcap like you requested.

https://www.dropbox.com/scl/fi/teiwg08sfnz01rqsajnv2/suricata.tar.gz?rlkey=20vi53xygzp8a4drr013lfaqp&dl=0

Thank you,
Dk.

PS: Since there was no attachment facility, I had to resort to dropbox links :slight_smile:

Could you also post the run commands as well just to make sure we have the exact reproduced scenario?

You mean how I invoked suricata? This is how I did it.

docker run --rm --name suricata -v /home/ubuntu/suricata.yaml:/etc/suricata/suricata.yaml -it --net=host --cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice jasonish/suricata:latest -i ens5

The suricata.yaml mapped is the one I sent in my previous message.

Inside the container, the command is this…

/usr/bin/suricata --user suricata --group suricata -i ens5

And how do you run the replay?

There is no replay. Like I mentioned earlier, suricata (docker using host networking) and my server (python) are running on the same host machine. Anything received on the host machine ens5 interface is being sniffed by suricata. I am sending traffic to my server on that target machine using curl.

M1 (curl)   <-----------> M2 (suricata-docker, python-svr)

@Andreas_Herz
Do you need any additional info? Would appreciate any insight into this issue. I’ve decoded the pcap with tshark and it is showing the entire bodies for both the request and responses.