[Oisf-users] issue with event size

erik clark philosnef at gmail.com
Thu Jul 27 12:59:53 UTC 2017


In suricata.yaml, in the libhtp section, I put:

request-body-limit: 3kb
response-body-limit: 3kb

but I am curious. If it is gzipped encoded, what would that turn out to be
after unpacking? Is this the correct place to put it?

On Thu, Jul 27, 2017 at 8:54 AM, Giuseppe Longo <lists at glongo.it> wrote:

> Hello,
> Il giorno gio, 27/07/2017 alle 07.50 -0400, erik clark ha scritto:
> > So, I am pushing events into splunk from suricata. Life was great
> > before http_response_body and http_request_body. However, after
> > turning them on, I got a 28k size event., which caused a malformed
> > event to be pushed into splunk, making it unreadable, as our splunk
> > has a limit of 10k for an event.  How can I limit the size of the
> > http_response_body and http_request_body to the first 3k each? I am
> > sure I have events bigger than this. Thanks!
> >
>
> The problem of limiting http_request_body/http_response_body is that if
> the matching part is lost there is no more interest.
>
> To have smaller events you can try to decrease
> request-body-minimal-inspect-size and
> response-body-minimal-inspect-size.
>
> BR,
> Giuseppe
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170727/4089c466/attachment-0002.html>


More information about the Oisf-users mailing list