Hello, could someone help me with a rule that makes suricata only detect and log http traffic ?
You don’t need a rule for that, if you want to log all http traffic you just need to enable the http app-layer parser and the output in the eve.json but http is enabled by default so in theory not much to do there.
Hello Andreas,
Yes but suricata is creating to much logging which takes space on the server. Is it possible to limit it to just log http traffic ?
You can remove all other output entries other than http in the suricata.yaml. That will only emit http events in your EVE output.
Hello Sascha, I didnt find any, could you share a screenshot please ?
You can find the documentation for the output section here 17. Output — Suricata 8.0.0-dev documentation
I meant suricata.yaml instead of eve.json of course. Sorry for the confusion.
What I meant was removing all the sub-items from the outputs.eve-log.types (suricata/suricata.yaml.in at master · OISF/suricata · GitHub) that you don’t want.
Hello Sascha, thanks for you support.
I’m just getting started with suricata and I have no experience with suricata. How much can i delete without suricata getting broken?
Not sure what you mean by “broken”… Suricata will only include those events that are listed in the types list in the eve.json. If you leave only one (e.g. http) in there, Suricata will only log events of that type.
You decide what amount of information is sufficient for you.
What is the difference between deleting from types and activating the “http-events.rules”. I saw that someone did that in another thread in this forum.
http-events.rules enables output of only alert type events that report weirdnesses in http requests (not security related, just parsing issues and strange situations like missing requests). These are only output if the alert type is active as an EVE output type in suricata.yaml.
Including/removing types in the outputs in suricata.yaml only determines if that type is logged, not if rules are evaluated at all. In particular, you can configure whether you want to see metadata that did not lead to alerts in the EVE JSON output. E.g. all HTTP requests, all DNS queries, all FTP transactions, etc. The rules only trigger alerts.