[Oisf-users] Add HTTP Payload to eve-log

Felix Müller ffomueller at gmail.com
Mon Jan 6 00:28:31 UTC 2020 

Hi Konstantin,

thanks for your answer.

I am running Suricata 4.1.2 installed from the Debian Repo.

I think this is the relevant part of my suricata,yaml:

   - eve-log:
       enabled: yes
       filetype: regular
       filename: eve.json

       types:
         - alert:
             payload: yes
             payload-buffer-size: 4kb
             payload-printable: yes
             packet: no
             http-body: yes
             http-body-printable: yes
             metadata: yes
             tagged-packets: yes
         - http:
             extended: yes
*            metadata: yes **
**            http-body: yes **
**            http-body-printable: yes*


I tried it after adding your provided config snippet, but there is no 
payload included in the http events. This config seems to work only in 
the "alert" section.

I tried also with this config version of "http", even if 
http_reques_body and http_response_body are not listed for the "custom" 
config -> 
https://suricata.readthedocs.io/en/suricata-5.0.0/output/eve/eve-json-output.html#http

         - http:
             extended: yes     # enable this for extended logging 
information
             # custom allows additional http fields to be included in 
eve-log
             # the example below adds three additional fields when 
uncommented
             custom: [http_request_body, http_response_body]
             payload: yes
             payload-buffer-size: 4kb
             payload-printable: yes
             metadata: yes
             http-body: yes
             http-body-printable: yes


Regards

Felix

On 05.01.20 09:57, Konstantin Klinger wrote:
> Hi Felix,
>
> which Suricata version are you running? And can you please share your suricata.yaml configuration? As far as I can see the fields http_request_body and http_response_body are supported since Suricata 4.0 in the eve json output, but you have to enable it in the configuration:
>
>              metadata: yes             # enable inclusion of app layer metadata with alert. Default yes
>              http-body: yes           # Requires metadata; enable dumping of http body in Base64
>              http-body-printable: yes # Requires metadata; enable dumping of http body in printable format
>
> For further questions on the eve json format maybe this link will help you: https://github.com/satta/suricata-json-schema
> We would also be very happy for any contribution to that repo to improve the documentation of the eve json output fields.
>
> Cheers,
>
> Konstantin
>
>> On January 5, 2020 at 4:20 AM Felix Müller <ffomueller at gmail.com> wrote:
>>
>>
>> Hi,
>>
>> is it possible to add the payload of the type "http" to eve.log even
>> when the  event has not triggered an alert?
>>
>> I searched in the configuration and the documentation and it seems that
>> is only possible to get http payloads to a separate file with the option
>> "http-body-data".
>>
>>
>> Regards
>>
>> Felix
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200106/3a568d3c/attachment.html>

More information about the Oisf-users mailing list