Hi,
I want to use Suricata to capture only HTTP traffic (not analyze it). I do not want to capture any other traffic at all, and I also do not want to analyze the traffic— I just want HTTP traffic to be logged.
I do not want to capture any other traffic since it is unnecessary for me and because it impacts performance and storage.
I have tried configuring suricata.yaml, but I have not been able to solve my problem. Could someone here help me?
Do you literally mean HTTP, or do you mean “web traffic” which will predominantly be HTTPS these days. HTTPS is encrypted. That means you cannot see the packet payload contents unless you configure MITM (man-in-the-middle) interception using a third-party tool. You can only see source and destination IP addresses and ports – and for now some SNI data.
To rephrase, you’re asking if Suricata can discard non-HTTP traffic and then generate logs only?
Suricata can be configured only to log metadata if you disable alerts in the output section of the config file:
types:
- alert:
enabled: no
Discarding non-http packets is more difficult. You can disable the app layer protocols you don’t care about in the app-layer-section
Hello I litterally mean HTTP not webtraffic.
Yes exactly, I want Suricata to only look for http traffic and only to generate http traffic, thats enough for my needs.