Hello,
I am running suricata4.0.5 on centos7, when I used workers mode, there is no connect between request and respond. However, if I run with autofp mode, request and respond are in the same log. What should I do to know which request corresponds to which response?
Can you give us more details about your configuration and setup?
Also 4.0.5 is EOL, please upgrade to a supported version of Suricata (5 or 6).
Hi bro,
Now I update to suricata-6.0.2,but the output of eve.json also detached,that means in autofp runmode, one record contains http request and respond,but with workers runmode, there are two logs record request and respond respectively.
The eve.json setup:
types:
- alert:
# payload: yes # enable dumping payload in Base64
payload-buffer-size: 10kb # max size of payload buffer to output in eve-log
payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
# metadata: no # enable inclusion of app layer metadata with alert. Default yes
# http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
#tagged-packets: yesIn general you can use the flow_id that should be the same for that case.