Project

General

Profile

Actions

Documentation #2640

closed

http-body and http-body-printable in eve-log require metadata to be enabled, yet there is no indication of this anywhere

Added by Eric Urban about 6 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

Summary
In Suricata when enabling outputs.eve-log.types.alert.http-body or .http-body-printable, it is required that either outputs.eve-log.types.alert.metadata or outputs.eve-log.types.alert.http be enabled. Otherwise there is no output in the eve-log.

If this is intentional to require metadata be enabled, then it should at least be documented in the standard documentation and/or in suricata.yaml next to the config option. Another suggestion would be to have this embedded under outputs.eve-log.types.alert.metadata or .http if metadata is required in order for body logging to occur.

Steps to reproduce
  1. Start with the default suricata.yaml config file.
  2. Set outputs.eve-log.types.alert.metadata to no.
  3. Set outputs.eve-log.types.alert.http-body and/or outputs.eve-log.types.alert.http-body-printable to yes.
  4. Generate HTTP traffic that will cause some alert to trigger.

Actual results
There is no http-body/http-body-response data in the eve-log. If this is by design, I was not able to find documentation supporting it.

Expected results
This behavior should at a minimum be documented. It would be more self-documented if the config option was nested under the metadata config option.

Actions

Also available in: Atom PDF