[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] Add HTTP Payload to eve-log
From: Felix_Müller <ffomueller () gmail ! com>
Date: 2020-01-06 0:28:31
Message-ID: dfafb1f8-9e4e-cfb8-ab8d-20879567cb78 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Konstantin,
thanks for your answer.
I am running Suricata 4.1.2 installed from the Debian Repo.
I think this is the relevant part of my suricata,yaml:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- alert:
payload: yes
payload-buffer-size: 4kb
payload-printable: yes
packet: no
http-body: yes
http-body-printable: yes
metadata: yes
tagged-packets: yes
- http:
extended: yes
* metadata: yes **
** http-body: yes **
** http-body-printable: yes*
I tried it after adding your provided config snippet, but there is no
payload included in the http events. This config seems to work only in
the "alert" section.
I tried also with this config version of "http", even if
http_reques_body and http_response_body are not listed for the "custom"
config ->
https://suricata.readthedocs.io/en/suricata-5.0.0/output/eve/eve-json-output.html#http
- http:
extended: yes # enable this for extended logging
information
# custom allows additional http fields to be included in
eve-log
# the example below adds three additional fields when
uncommented
custom: [http_request_body, http_response_body]
payload: yes
payload-buffer-size: 4kb
payload-printable: yes
metadata: yes
http-body: yes
http-body-printable: yes
Regards
Felix
On 05.01.20 09:57, Konstantin Klinger wrote:
> Hi Felix,
>
> which Suricata version are you running? And can you please share your suricata.yaml \
> configuration? As far as I can see the fields http_request_body and \
> http_response_body are supported since Suricata 4.0 in the eve json output, but you \
> have to enable it in the configuration:
> metadata: yes # enable inclusion of app layer metadata with alert. \
> Default yes
> http-body: yes # Requires metadata; enable dumping of http body in Base64
> http-body-printable: yes # Requires metadata; enable dumping of http body in \
> printable format
> For further questions on the eve json format maybe this link will help you: \
> https://github.com/satta/suricata-json-schema We would also be very happy for any \
> contribution to that repo to improve the documentation of the eve json output \
> fields.
> Cheers,
>
> Konstantin
>
> > On January 5, 2020 at 4:20 AM Felix Müller <ffomueller@gmail.com> wrote:
> >
> >
> > Hi,
> >
> > is it possible to add the payload of the type "http" to eve.log even
> > when the event has not triggered an alert?
> >
> > I searched in the configuration and the documentation and it seems that
> > is only possible to get http payloads to a separate file with the option
> > "http-body-data".
> >
> >
> > Regards
> >
> > Felix
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Konstantin,</p>
<p>thanks for your answer.<br>
</p>
<p>I am running Suricata 4.1.2 installed from the Debian Repo.<br>
</p>
<p>I think this is the relevant part of my suricata,yaml:</p>
<p> - eve-log:<br>
enabled: yes<br>
filetype: regular <br>
filename: eve.json<br>
<br>
types:<br>
- alert:<br>
payload: yes <br>
payload-buffer-size: 4kb <br>
payload-printable: yes <br>
packet: no <br>
http-body: yes <br>
http-body-printable: yes <br>
metadata: yes <br>
tagged-packets: yes<br>
- http:<br>
extended: yes <br>
<b> metadata: yes </b><b><br>
</b><b> http-body: yes </b><b><br>
</b><b> http-body-printable: yes</b></p>
<p><br>
</p>
<p>I tried it after adding your provided config snippet, but there
is no payload included in the http events. This config seems to
work only in the "alert" section.</p>
<p>I tried also with this config version of "http", even if
http_reques_body and http_response_body are not listed for the
"custom" config ->
<a class="moz-txt-link-freetext" \
href="https://suricata.readthedocs.io/en/suricata-5.0.0/output/eve/eve-json-output.htm \
l#http">https://suricata.readthedocs.io/en/suricata-5.0.0/output/eve/eve-json-output.html#http</a><br>
</p>
<p> - http:<br>
extended: yes # enable this for extended logging
information<br>
# custom allows additional http fields to be included
in eve-log<br>
# the example below adds three additional fields when
uncommented<br>
custom: [http_request_body, http_response_body]<br>
payload: yes<br>
payload-buffer-size: 4kb<br>
payload-printable: yes<br>
metadata: yes<br>
http-body: yes<br>
http-body-printable: yes</p>
<p><br>
</p>
<p>Regards <br>
</p>
<p>Felix<br>
</p>
<div class="moz-cite-prefix">On 05.01.20 09:57, Konstantin Klinger
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:456714613.97097.1578214662043@ox79.mailbox.org">
<pre class="moz-quote-pre" wrap="">Hi Felix,
which Suricata version are you running? And can you please share your suricata.yaml \
configuration? As far as I can see the fields http_request_body and \
http_response_body are supported since Suricata 4.0 in the eve json output, but you \
have to enable it in the configuration:
metadata: yes # enable inclusion of app layer metadata with \
alert. Default yes
http-body: yes # Requires metadata; enable dumping of http body \
in Base64
http-body-printable: yes # Requires metadata; enable dumping of http body \
in printable format
For further questions on the eve json format maybe this link will help you: <a \
class="moz-txt-link-freetext" \
href="https://github.com/satta/suricata-json-schema">https://github.com/satta/suricata-json-schema</a>
We would also be very happy for any contribution to that repo to improve the \
documentation of the eve json output fields.
Cheers,
Konstantin
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On January 5, 2020 at 4:20 AM Felix Müller \
<a class="moz-txt-link-rfc2396E" \
href="mailto:ffomueller@gmail.com"><ffomueller@gmail.com></a> wrote:
Hi,
is it possible to add the payload of the type "http" to eve.log even
when the event has not triggered an alert?
I searched in the configuration and the documentation and it seems that
is only possible to get http payloads to a separate file with the option
"http-body-data".
Regards
Felix
_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" \
href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" \
href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a \
class="moz-txt-link-freetext" \
href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" \
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Conference: <a class="moz-txt-link-freetext" \
href="https://suricon.net">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" \
href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a> \
</pre> </blockquote>
</blockquote>
</body>
</html>
[Attachment #6 (text/plain)]
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic