[Oisf-users] Add HTTP Payload to eve-log
Konstantin Klinger
konstantinklinger at mailbox.org
Sun Jan 5 08:57:41 UTC 2020
Hi Felix,
which Suricata version are you running? And can you please share your suricata.yaml configuration? As far as I can see the fields http_request_body and http_response_body are supported since Suricata 4.0 in the eve json output, but you have to enable it in the configuration:
metadata: yes # enable inclusion of app layer metadata with alert. Default yes
http-body: yes # Requires metadata; enable dumping of http body in Base64
http-body-printable: yes # Requires metadata; enable dumping of http body in printable format
For further questions on the eve json format maybe this link will help you: https://github.com/satta/suricata-json-schema
We would also be very happy for any contribution to that repo to improve the documentation of the eve json output fields.
Cheers,
Konstantin
> On January 5, 2020 at 4:20 AM Felix Müller <ffomueller at gmail.com> wrote:
>
>
> Hi,
>
> is it possible to add the payload of the type "http" to eve.log even
> when the event has not triggered an alert?
>
> I searched in the configuration and the documentation and it seems that
> is only possible to get http payloads to a separate file with the option
> "http-body-data".
>
>
> Regards
>
> Felix
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200105/8c417b8d/attachment.sig>
More information about the Oisf-users
mailing list