Documentation #2640
closed
http-body and http-body-printable in eve-log require metadata to be enabled, yet there is no indication of this anywhere
Added by Eric Urban about 6 years ago.
Updated about 5 years ago.
Description
Summary
In Suricata when enabling outputs.eve-log.types.alert.http-body or .http-body-printable, it is required that either outputs.eve-log.types.alert.metadata or outputs.eve-log.types.alert.http be enabled. Otherwise there is no output in the eve-log.
If this is intentional to require metadata be enabled, then it should at least be documented in the standard documentation and/or in suricata.yaml next to the config option. Another suggestion would be to have this embedded under outputs.eve-log.types.alert.metadata or .http if metadata is required in order for body logging to occur.
Steps to reproduce
- Start with the default suricata.yaml config file.
- Set outputs.eve-log.types.alert.metadata to no.
- Set outputs.eve-log.types.alert.http-body and/or outputs.eve-log.types.alert.http-body-printable to yes.
- Generate HTTP traffic that will cause some alert to trigger.
Actual results
There is no http-body/http-body-response data in the eve-log. If this is by design, I was not able to find documentation supporting it.
Expected results
This behavior should at a minimum be documented. It would be more self-documented if the config option was nested under the metadata config option.
The current default config from suricata.yaml makes this confusing since the other options indented to the same level as http-body are not dependent on another config option at that same level in order to be enabled. For example, payload will be logged regardless of whether or not packet or metadata are enabled.
types:
- alert:
# payload: yes # enable dumping payload in Base64
# payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
# payload-printable: yes # enable dumping payload in printable (lossy) format
# packet: yes # enable dumping of packet (without stream segments)
# http-body: yes # enable dumping of http body in Base64
# http-body-printable: yes # enable dumping of http body in printable format
metadata: yes # add L7/applayer fields, flowbit and other vars to the alert
- Target version set to TBD
- Status changed from New to Assigned
I agree that this might be confusing, we will think about a better way of documenting that.
- Assignee changed from OISF Dev to Jeff Lucovsky
- Priority changed from Low to Normal
- Target version changed from TBD to 5.0.0
- Effort set to low
- Difficulty set to low
- Status changed from Assigned to Closed
- Tracker changed from Support to Optimization
- Affected Versions deleted (
4.0.5)
- Tracker changed from Optimization to Documentation
Also available in: Atom
PDF