Hi all, I was using Suricata for monitoring traffic, I have a rule - alert http any any → any any (msg: “HTTP traffic detected-request”; sid:200002; rev:1;) And my configuration(suricata.yaml) file looks like -
outputs:
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve-reg.json
# include the name of the input pcap file in pcap file processing mode
pcap-file: false
# enable/disable the community id feature.
community-id: false
# Seed value for the ID output. Valid values are 0-65535.
community-id-seed: 0
xff:
enabled: no
types:
- alert:
payload: yes # enable dumping payload in Base64
payload-buffer-size: 128kb # max size of payload buffer to output in eve-log
payload-printable: no # enable dumping payload in printable (lossy) format
metadata: yes # enable inclusion of app layer metadata with alert. Default yes
http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
http-body-printable: no # Requires metadata; enable dumping of HTTP body in printable format
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
- http:
extended: yes # enable this for extended logging information
dump-all-headers: both
- http2:
extended: yes # enable this for extended logging information
dump-all-headers: both
For one single traffic(request to the server) containing request body around 70kb, I am getting roughly around 100 events which contain the request body in chunks, I am getting the headers in one single event in eve reg - (event_type: http) By any chance is it possible that I get the complete body in one single event.