Suricata, HTTP request/response data is not outputting to eve-log, is there any way?

Help
,
1
  • Suricata version : v7.0.6
  • Operating system and/or Linux distribution : MacOS Sonoma 14.6 (Apple Silicon ARMv8)
  • How you installed Suricata : brew

hello. I want to use Suricata to output HTTP request and response data.

The first thing I tried was to set http-body-data, which leaves Http Data, but not in the way I want.

My goal is to have the HTTP request/response data body logging in “eve-log:”.

I tried by checking the settings in the official documentation and previous forum history, but ultimately failed.

I’ve attached the config and would like some help on which part is the problem.
:slight_smile:

  • [Snippet] suricata.yaml
      types:
        - alert:
            payload: yes             # enable dumping payload in Base64
            payload-buffer-size: 1024kb # max size of payload buffer to output in eve-log
            payload-printable: yes   # enable dumping payload in printable (lossy) format
            packet: yes              # enable dumping of packet (without stream segments)
            metadata: yes             # enable inclusion of app layer metadata with alert. Default yes
            http-body: yes           # Requires metadata; enable dumping of HTTP body in Base64
            http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
            http-headers: yes

    - http:
        extended: yes     # enable this for extended logging information
        # custom allows additional HTTP fields to be included in eve-log.
        # the example below adds three additional fields when uncommented
        #custom: [Accept-Encoding, Accept-Language, Authorization]
        # set this value to one and only one from {both, request, response}
        # to dump all HTTP headers for every HTTP request and/or response
        dump-all-headers: both

  - http-log:
      enabled: yes
      filename: http.log
      append: yes
      extended: yes     # enable this for extended logging information
      custom: yes       # enable the custom logging format (defined by customformat)
      customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
      filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'


app-layer:
  # error-policy: ignore
  protocols:
    http:
      enabled: yes
      detection-ports:
        dp: [80,8080,8545,1317]
        sp: [80,8080,8545,1317]
      # Byte Range Containers default settings
      #byterange:
        #memcap: 100mb
        #timeout: 60

      libhtp:
         default-config:
           personality: IDS

           # Can be specified in kb, mb, gb.  Just a number indicates
           # it's in bytes.
           request-body-limit: 1024kb
           response-body-limit: 1024kb

           # inspection limits
          #  request-body-minimal-inspect-size: 32kb
          #  request-body-inspect-window: 4kb
          #  response-body-minimal-inspect-size: 40kb
          #  response-body-inspect-window: 16kb

           # response body decompression (0 disables)
           response-body-decompress-layer-limit: 2

           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
           http-body-inline: auto

The links below are the ones I’ve referenced for troubleshooting and are out of date or similar and have failed to solve the exact problem.

2

Can you give an example output ideally with a pcap as well that you get and what part you’re missing exactly?

3

I think this is only possible for alerts. Is that what you mean ?

4

Thank you for your attention to the issue.
After further investigation
In a packet-mirroring environment, TLS traffic was being mirrored without being decrypted, so it was not being caught correctly.
I checked the eve-log logs for normal HTTP and they are normal.