Hello
We use suricata with following rules to intercept HTTP traffic for further analysis:
alert http any any -> any any (http_content_type; content:"application/json"; sid:7;)
alert http any any -> any any (http_content_type; content:"application/ld+json"; sid:8;)
alert http any any -> any any (http_content_type; content:"application/x-httpd-php"; sid:9;)
alert http any any -> any any (http_content_type; content:"application/xml"; sid:10;)
alert http any any -> any any (http_content_type; content:"application/xhtml+xml"; sid:11;)
alert http any any -> any any (http_content_type; content:"text/plain"; sid:12;)
alert http any any -> any any (http_content_type; content:"text/html"; sid:13;)
alert http any any -> any any (http_content_type; content:"text/xml"; sid:14;)
alert http any any -> any any (http_content_type; content:"text/csv"; sid:15;)
alert http any any -> any any (content:"POST"; http_method; sid:16;)
pass http any any -> any any (msg:"IMAGE"; http_content_type; content:"image"; filestore; sid:1;)
pass http any any -> any any (msg:"VIDEO"; http_content_type; content:"video"; filestore; sid:2;)
Every 30 sec suricata updates stats.json
file
stats:
enabled: yes
interval: 30
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: stats.json
types:
- stats:
totals: yes
threads: no
deltas: no
However calculated rates (per second) of app_layer.flow.http seem unrealistic, around 10/s and 50 times lower compared to tcp.sessions.
This fact poses below questions:
- are listed configuration and rules valid?
- does app_layer.flow.http represent processed http packets? or sessions?
- what is the difference between app_layer.flow.http and app_layer.tx.http?
- is there complete stats fields description?
Any clarification will be highly appreciated.