I downloaded dashboards for ELK Suricata, but there is no data on any HTTP dashboard. Checked the presence of fields in the output (For example http.server.keyword, http.status) and there are none. Please tell me if I have configured logging incorrectly or suricata does not check http?
capture.kernel_packets | Total | 21285192
decoder.pkts | Total | 21284924
decoder.bytes | Total | 3021594607
decoder.ipv4 | Total | 42459165
decoder.ipv6 | Total | 7769
decoder.ethernet | Total | 42565103
decoder.tcp | Total | 20379152
decoder.udp | Total | 402254
decoder.icmpv4 | Total | 127642
decoder.icmpv6 | Total | 661
decoder.gre | Total | 21280179
decoder.vlan | Total | 21280179
decoder.avg_pkt_size | Total | 141
decoder.max_pkt_size | Total | 1526
decoder.erspan | Total | 21280179
flow.tcp | Total | 295527
flow.udp | Total | 159467
flow.icmpv4 | Total | 12227
flow.icmpv6 | Total | 265
flow.wrk.spare_sync_avg | Total | 100
flow.wrk.spare_sync | Total | 4197
decoder.event.ipv4.trunc_pkt | Total | 2963
decoder.event.ipv6.zero_len_padn | Total | 10
decoder.event.vlan.unknown_type | Total | 3074
flow.wrk.flows_evicted_needs_work | Total | 171
flow.wrk.flows_evicted_pkt_inject | Total | 328
flow.wrk.flows_evicted | Total | 47793
flow.wrk.flows_injected | Total | 165
tcp.sessions | Total | 182633
tcp.syn | Total | 197218
tcp.synack | Total | 110682
tcp.rst | Total | 167321
tcp.reassembly_gap | Total | 145
tcp.overlap | Total | 74
detect.alert | Total | 524
app_layer.flow.tls | Total | 56
app_layer.flow.smb | Total | 1
app_layer.tx.smb | Total | 8
app_layer.flow.dcerpc_tcp | Total | 1
app_layer.tx.dcerpc_tcp | Total | 2
app_layer.flow.ntp | Total | 3525
app_layer.tx.ntp | Total | 2016
app_layer.flow.tftp | Total | 2
app_layer.tx.tftp | Total | 1
app_layer.flow.ikev2 | Total | 17
app_layer.tx.ikev2 | Total | 1
app_layer.flow.krb5_tcp | Total | 1
app_layer.tx.krb5_tcp | Total | 1
app_layer.flow.dhcp | Total | 65
app_layer.tx.dhcp | Total | 289
app_layer.flow.snmp | Total | 49090
app_layer.tx.snmp | Total | 53689
app_layer.flow.sip | Total | 2
app_layer.tx.sip | Total | 2
app_layer.flow.failed_tcp | Total | 7
app_layer.flow.dns_udp | Total | 21904
app_layer.tx.dns_udp | Total | 22403
app_layer.flow.krb5_udp | Total | 321
app_layer.flow.failed_udp | Total | 84541
flow.mgr.full_hash_pass | Total | 52
flow.spare | Total | 10396
flow.mgr.rows_maxlen | Total | 4
flow.mgr.flows_checked | Total | 522034
flow.mgr.flows_notimeout | Total | 108369
flow.mgr.flows_timeout | Total | 413665
flow.mgr.flows_evicted | Total | 413665
flow.mgr.flows_evicted_needs_work | Total | 165
tcp.memuse | Total | 2293760
tcp.reassembly_memuse | Total | 401452
flow.memuse | Total | 9505024
capture.kernel_packets | RX#01-ens160 | 1034
decoder.pkts | RX#01-ens160 | 923
decoder.bytes | RX#01-ens160 | 97422
decoder.ipv4 | RX#01-ens160 | 908
decoder.ethernet | RX#01-ens160 | 923
decoder.udp | RX#01-ens160 | 908
decoder.avg_pkt_size | RX#01-ens160 | 105
decoder.max_pkt_size | RX#01-ens160 | 243
capture.kernel_packets | RX#02-ens160 | 120
decoder.pkts | RX#02-ens160 | 43
decoder.bytes | RX#02-ens160 | 9090
decoder.ipv4 | RX#02-ens160 | 43
decoder.ethernet | RX#02-ens160 | 43
decoder.udp | RX#02-ens160 | 43
decoder.avg_pkt_size | RX#02-ens160 | 211
decoder.max_pkt_size | RX#02-ens160 | 243
capture.kernel_packets | RX#03-ens160 | 191
decoder.pkts | RX#03-ens160 | 112
decoder.bytes | RX#03-ens160 | 18156
decoder.ipv4 | RX#03-ens160 | 112
decoder.ethernet | RX#03-ens160 | 112
decoder.udp | RX#03-ens160 | 112
decoder.avg_pkt_size | RX#03-ens160 | 162
decoder.max_pkt_size | RX#03-ens160 | 243
capture.kernel_packets | RX#04-ens160 | 21283847
decoder.pkts | RX#04-ens160 | 21283846
decoder.bytes | RX#04-ens160 | 3021469939
decoder.ipv4 | RX#04-ens160 | 42458102
decoder.ipv6 | RX#04-ens160 | 7769
decoder.ethernet | RX#04-ens160 | 42564025
decoder.tcp | RX#04-ens160 | 20379152
decoder.udp | RX#04-ens160 | 401191
decoder.icmpv4 | RX#04-ens160 | 127642
decoder.icmpv6 | RX#04-ens160 | 661
decoder.gre | RX#04-ens160 | 21280179
decoder.vlan | RX#04-ens160 | 21280179
decoder.avg_pkt_size | RX#04-ens160 | 141
decoder.max_pkt_size | RX#04-ens160 | 1526
decoder.erspan | RX#04-ens160 | 21280179
flow.tcp | W#01 | 73948
flow.udp | W#01 | 39495
flow.icmpv4 | W#01 | 2816
flow.icmpv6 | W#01 | 216
flow.wrk.spare_sync_avg | W#01 | 100
flow.wrk.spare_sync | W#01 | 1050
decoder.event.ipv4.trunc_pkt | W#01 | 748
decoder.event.vlan.unknown_type | W#01 | 788
flow.wrk.flows_evicted_needs_work | W#01 | 35
flow.wrk.flows_evicted_pkt_inject | W#01 | 64
flow.wrk.flows_evicted | W#01 | 11488
flow.wrk.flows_injected | W#01 | 35
tcp.sessions | W#01 | 45530
tcp.syn | W#01 | 48997
tcp.synack | W#01 | 27806
tcp.rst | W#01 | 42128
tcp.reassembly_gap | W#01 | 38
tcp.overlap | W#01 | 12
detect.alert | W#01 | 130
app_layer.flow.tls | W#01 | 10
app_layer.flow.ntp | W#01 | 982
app_layer.tx.ntp | W#01 | 390
app_layer.flow.ikev2 | W#01 | 16
app_layer.flow.dhcp | W#01 | 59
app_layer.tx.dhcp | W#01 | 265
app_layer.flow.snmp | W#01 | 12266
app_layer.tx.snmp | W#01 | 13414
app_layer.flow.failed_tcp | W#01 | 5
app_layer.flow.dns_udp | W#01 | 5485
app_layer.tx.dns_udp | W#01 | 5602
app_layer.flow.krb5_udp | W#01 | 86
app_layer.flow.failed_udp | W#01 | 20601
flow.tcp | W#02 | 74378
flow.udp | W#02 | 40201
flow.icmpv4 | W#02 | 3173
flow.icmpv6 | W#02 | 35
flow.wrk.spare_sync_avg | W#02 | 100
flow.wrk.spare_sync | W#02 | 1054
decoder.event.ipv4.trunc_pkt | W#02 | 735
decoder.event.vlan.unknown_type | W#02 | 741
flow.wrk.flows_evicted_needs_work | W#02 | 35
flow.wrk.flows_evicted_pkt_inject | W#02 | 68
flow.wrk.flows_evicted | W#02 | 12373
flow.wrk.flows_injected | W#02 | 34
tcp.sessions | W#02 | 45817
tcp.syn | W#02 | 49450
tcp.synack | W#02 | 27815
tcp.rst | W#02 | 41892
tcp.reassembly_gap | W#02 | 23
tcp.overlap | W#02 | 20
detect.alert | W#02 | 114
app_layer.flow.tls | W#02 | 12
app_layer.flow.ntp | W#02 | 751
app_layer.tx.ntp | W#02 | 560
app_layer.flow.krb5_tcp | W#02 | 1
app_layer.tx.krb5_tcp | W#02 | 1
app_layer.flow.snmp | W#02 | 12526
app_layer.tx.snmp | W#02 | 13757
app_layer.flow.sip | W#02 | 1
app_layer.tx.sip | W#02 | 1
app_layer.flow.dns_udp | W#02 | 5531
app_layer.tx.dns_udp | W#02 | 5646
app_layer.flow.krb5_udp | W#02 | 68
app_layer.flow.failed_udp | W#02 | 21324
flow.tcp | W#03 | 73225
flow.udp | W#03 | 40107
flow.icmpv4 | W#03 | 3122
flow.icmpv6 | W#03 | 4
flow.wrk.spare_sync_avg | W#03 | 100
flow.wrk.spare_sync | W#03 | 1042
decoder.event.ipv4.trunc_pkt | W#03 | 709
decoder.event.ipv6.zero_len_padn | W#03 | 3
decoder.event.vlan.unknown_type | W#03 | 802
flow.wrk.flows_evicted_needs_work | W#03 | 48
flow.wrk.flows_evicted_pkt_inject | W#03 | 93
flow.wrk.flows_evicted | W#03 | 12242
flow.wrk.flows_injected | W#03 | 46
tcp.sessions | W#03 | 45271
tcp.syn | W#03 | 49008
tcp.synack | W#03 | 27515
tcp.rst | W#03 | 41644
tcp.reassembly_gap | W#03 | 36
tcp.overlap | W#03 | 25
detect.alert | W#03 | 133
app_layer.flow.tls | W#03 | 19
app_layer.flow.ntp | W#03 | 834
app_layer.tx.ntp | W#03 | 518
app_layer.flow.tftp | W#03 | 1
app_layer.flow.dhcp | W#03 | 6
app_layer.tx.dhcp | W#03 | 24
app_layer.flow.snmp | W#03 | 12088
app_layer.tx.snmp | W#03 | 13173
app_layer.flow.failed_tcp | W#03 | 1
app_layer.flow.dns_udp | W#03 | 5444
app_layer.tx.dns_udp | W#03 | 5552
app_layer.flow.krb5_udp | W#03 | 93
app_layer.flow.failed_udp | W#03 | 21641
flow.tcp | W#04 | 73976
flow.udp | W#04 | 39664
flow.icmpv4 | W#04 | 3116
flow.icmpv6 | W#04 | 10
flow.wrk.spare_sync_avg | W#04 | 100
flow.wrk.spare_sync | W#04 | 1051
decoder.event.ipv4.trunc_pkt | W#04 | 771
decoder.event.ipv6.zero_len_padn | W#04 | 7
decoder.event.vlan.unknown_type | W#04 | 743
flow.wrk.flows_evicted_needs_work | W#04 | 53
flow.wrk.flows_evicted_pkt_inject | W#04 | 103
flow.wrk.flows_evicted | W#04 | 11690
flow.wrk.flows_injected | W#04 | 50
tcp.sessions | W#04 | 46015
tcp.syn | W#04 | 49763
tcp.synack | W#04 | 27546
tcp.rst | W#04 | 41657
tcp.reassembly_gap | W#04 | 48
tcp.overlap | W#04 | 17
detect.alert | W#04 | 147
app_layer.flow.tls | W#04 | 15
app_layer.flow.smb | W#04 | 1
app_layer.tx.smb | W#04 | 8
app_layer.flow.dcerpc_tcp | W#04 | 1
app_layer.tx.dcerpc_tcp | W#04 | 2
app_layer.flow.ntp | W#04 | 958
app_layer.tx.ntp | W#04 | 548
app_layer.flow.tftp | W#04 | 1
app_layer.tx.tftp | W#04 | 1
app_layer.flow.ikev2 | W#04 | 1
app_layer.tx.ikev2 | W#04 | 1
app_layer.flow.snmp | W#04 | 12210
app_layer.tx.snmp | W#04 | 13345
app_layer.flow.sip | W#04 | 1
app_layer.tx.sip | W#04 | 1
app_layer.flow.failed_tcp | W#04 | 1
app_layer.flow.dns_udp | W#04 | 5444
app_layer.tx.dns_udp | W#04 | 5603
app_layer.flow.krb5_udp | W#04 | 74
app_layer.flow.failed_udp | W#04 | 20975
flow.mgr.full_hash_pass | FM#01 | 52
flow.spare | FM#01 | 10396
flow.mgr.rows_maxlen | FM#01 | 4
flow.mgr.flows_checked | FM#01 | 522034
flow.mgr.flows_notimeout | FM#01 | 108369
flow.mgr.flows_timeout | FM#01 | 413665
flow.mgr.flows_evicted | FM#01 | 413665
flow.mgr.flows_evicted_needs_work | FM#01 | 165
tcp.memuse | Global | 2293760
tcp.reassembly_memuse | Global | 401452
flow.memuse | Global | 9505024
At the same time, I see in the logs that suricata captures packets with port 80
Hi,
Could you maybe share your suricata.yaml config file and/or confirm that you have http enabled in it?
Suricata is capable of logging a lot of info on http (please check
15.1.1. Eve JSON Output — Suricata 7.0.0-dev documentation )
Is that output you’ve shared from stats.log?
# Extensible Event Format (nicknamed EVE) event log in JSON format
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
# Enable for multi-threaded eve.json output; output files are amended with
# with an identifier, e.g., eve.9.json
#threaded: false
#prefix: "@cee: " # prefix to prepend to each log entry
# the following are valid when type: syslog above
identity: "Suricata-IDSSU-01"
facility: local5
level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
# include the name of the input pcap file in pcap file processing mode
pcap-file: false
# Community Flow ID
# Adds a 'community_id' field to EVE records. These are meant to give
# records a predictable flow ID that can be used to match records to
# output of other tools such as Zeek (Bro).
#
# Takes a 'seed' that needs to be same across sensors and tools
# to make the id less predictable.
# enable/disable the community id feature.
community-id: true
# Seed value for the ID output. Valid values are 0-65535.
community-id-seed: 0
# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)
# with the one reported in the X-Forwarded-For HTTP header. This is
# helpful when reviewing alerts for traffic that is being reverse
# or forward proxied.
xff:
enabled: no
# Two operation modes are available: "extra-data" and "overwrite".
mode: extra-data
# Two proxy deployments are supported: "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: reverse
# Header name where the actual IP address will be reported. If more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For
types:
- alert:
# payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
metadata: yes # enable inclusion of app layer metadata with alert. Default yes
http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
# Enable the logging of tagged packets for rules using the
# "tag" keyword.
tagged-packets: yes
- anomaly:
# Anomaly log records describe unexpected conditions such
# as truncated packets, packets with invalid IP/UDP/TCP
# length values, and other events that render the packet
# invalid for further processing or describe unexpected
# behavior on an established stream. Networks which
# experience high occurrences of anomalies may experience
# packet processing degradation.
#
# Anomalies are reported for the following:
# 1. Decode: Values and conditions that are detected while
# decoding individual packets. This includes invalid or
# unexpected values for low-level protocol lengths as well
# as stream related events (TCP 3-way handshake issues,
# unexpected sequence number, etc).
# 2. Stream: This includes stream related events (TCP
# 3-way handshake issues, unexpected sequence number,
# etc).
# 3. Application layer: These denote application layer
# specific conditions that are unexpected, invalid or are
# unexpected given the application monitoring state.
#
# By default, anomaly logging is enabled. When anomaly
# logging is enabled, applayer anomaly reporting is
# also enabled.
enabled: yes
#
# Choose one or more types of anomaly logging and whether to enable
# logging of the packet header for packet anomalies.
types:
# decode: no
stream: yes
applayer: yes
#packethdr: no
- http:
extended: yes # enable this for extended logging information
# custom allows additional HTTP fields to be included in eve-log.
# the example below adds three additional fields when uncommented
custom: [Accept-Encoding, Accept-Language, Authorization]
# set this value to one and only one from {both, request, response}
# to dump all HTTP headers for every HTTP request and/or response
dump-all-headers: both
- dns:
# This configuration uses the new DNS logging format,
# the old configuration is still available:
# https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
# As of Suricata 5.0, version 2 of the eve dns output
# format is the default.
# version: 2
# Enable/disable this logger. Default: enabled.
enabled: yes
# Control logging of requests and responses:
# - requests: enable logging of DNS queries
# - responses: enable logging of DNS answers
# By default both requests and responses are logged.
#requests: no
#responses: no
# Format of answer logging:
# - detailed: array item per answer
# - grouped: answers aggregated by type
# Default: all
# formats: [detailed, grouped]
# DNS record types to log, based on the query type.
# Default: all.
# types: [a, aaaa, cname, mx, ns, ptr, txt]
- tls:
extended: yes # enable this for extended logging information
# output TLS transaction where the session is resumed using a
# session id
# session-resumption: no
# custom controls which TLS fields that are included in eve-log
#custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s]
custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, chain, ja3s]
- files:
force-magic: no # force logging magic on all logged files
# force logging of checksums, available hash functions are md5,
# sha1 and sha256
# force-hash: [md5]
#- drop:
# alerts: yes # log alerts that caused drops
# flows: all # start or all: 'start' logs only a single drop
# # per flow direction. All logs each dropped pkt.
- smtp:
extended: yes # enable this for extended logging information
# this includes: bcc, message-id, subject, x_mailer, user-agent
# custom fields logging from the list:
# reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
# x-originating-ip, in-reply-to, references, importance, priority,
# sensitivity, organization, content-md5, date
custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
# output md5 of fields: body, subject
# for the body you need to set app-layer.protocols.smtp.mime.body-md5
# to yes
# md5: [body, subject]
#- dnp3
- ftp
- rdp
- nfs
- smb
- tftp
- ikev2
- dcerpc
- krb5
- snmp
- rfb
- sip
- dhcp:
enabled: yes
# When extended mode is on, all DHCP messages are logged
# with full detail. When extended mode is off (the
# default), just enough information to map a MAC address
# to an IP address is logged.
extended: yes
- ssh
- mqtt:
# passwords: yes # enable output of passwords
# HTTP2 logging. HTTP2 support is currently experimental and
# disabled by default. To enable, uncomment the following line
# and be sure to enable http2 in the app-layer section.
# - http2
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
# bi-directional flows
- flow
# uni-directional flows
#- netflow
# Metadata event type. Triggered whenever a pktvar is saved
# and will include the pktvars, flowvars, flowbits and
# flowints.
#- metadata
# a line based log of HTTP requests (no alerts)
- http-log:
enabled: yes
filename: http.log
append: yes
extended: yes # enable this for extended logging information
custom: yes # enable the custom logging format (defined by customformat)
customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# a line based log of TLS handshake parameters (no alerts)
- tls-log:
enabled: yes # Log TLS connections.
filename: tls.log # File to store TLS logs.
append: yes
extended: yes # Log extended information like fingerprint
#custom: yes # enabled the custom logging format (defined by customformat)
#customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D"
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# output TLS transaction where the session is resumed using a
# session id
#session-resumption: no
# output module to store certificates chain to disk
- tls-store:
#enabled: yes
#certs-log-dir: certs # directory to store the certificates files
Yes, this is status.log. Moreover, http-data.log and http.log are empty
What Suricata version are you running?
Can you confirm that http is enabled in the app-layer.protocols section in your suricata.yaml file?
Suricata version 6.0.3
http:
enabled: yes
# memcap: Maximum memory capacity for HTTP
# Default is unlimited, values can be 64mb, e.g.
# default-config: Used when no server-config matches
# personality: List of personalities used by default
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
#
# For advanced options, see the user guide
# server-config: List of server configurations to use if address matches
# address: List of IP addresses or networks for this block
# personality: List of personalities used by this block
#
# Then, all the fields from default-config can be overloaded
#
# Currently Available Personalities:
# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
# IIS_7_0, IIS_7_5, Apache_2
libhtp:
default-config:
personality: IDSlibhtp:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 100kb
response-body-limit: 100kb
# inspection limits
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 40kb
response-body-inspect-window: 16kb
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
# auto will use http-body-inline mode in IPS mode, yes or no set it statically
http-body-inline: auto
# Decompress SWF files.
# Two types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
# compress-depth:
# Specifies the maximum amount of data to decompress,
# set 0 for unlimited.
# decompress-depth:
# Specifies the maximum amount of decompressed data to obtain,
# set 0 for unlimited.
swf-decompression:
enabled: yes
type: both
compress-depth: 100kb
decompress-depth: 100kb
# Use a random value for inspection sizes around the specified value.
# This lowers the risk of some evasion techniques but could lead
# to detection change between runs. It is set to 'yes' by default.
#randomize-inspection-sizes: yes
# If "randomize-inspection-sizes" is active, the value of various
# inspection size will be chosen from the [1 - range%, 1 + range%]
# range
# Default value of "randomize-inspection-range" is 10.
#randomize-inspection-range: 10
# decoding
double-decode-path: no
double-decode-query: no # Can enable LZMA decompression
#lzma-enabled: false
# Memory limit usage for LZMA decompression dictionary
# Data is decompressed until dictionary reaches this size
#lzma-memlimit: 1mb
# Maximum decompressed size with a compression ratio
# above 2048 (only LZMA can reach this ratio, deflate cannot)
#compression-bomb-limit: 1mb
# Maximum time spent decompressing a single transaction in usec
#decompression-time-limit: 100000
server-config:
#- apache:
# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
# personality: Apache_2
# # Can be specified in kb, mb, gb. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no
#- iis7:
# address:
# - 192.168.0.0/24
# - 192.168.10.0/24
# personality: IIS_7_0
# # Can be specified in kb, mb, gb. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: noI see that it matches erspan,gre, vlan so how does your captured traffic look like exactly? Maybe it’s an issue within the traffic or the capsulation. You can also run tcpdump on the interface to create a pcap and look into that if it’s correct http traffic and rerun it against suricata with the -r feature and see if http events are seen.
1 Like