Project

General

Profile

Actions

Documentation #2640

closed

http-body and http-body-printable in eve-log require metadata to be enabled, yet there is no indication of this anywhere

Added by Eric Urban over 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

Summary
In Suricata when enabling outputs.eve-log.types.alert.http-body or .http-body-printable, it is required that either outputs.eve-log.types.alert.metadata or outputs.eve-log.types.alert.http be enabled. Otherwise there is no output in the eve-log.

If this is intentional to require metadata be enabled, then it should at least be documented in the standard documentation and/or in suricata.yaml next to the config option. Another suggestion would be to have this embedded under outputs.eve-log.types.alert.metadata or .http if metadata is required in order for body logging to occur.

Steps to reproduce
  1. Start with the default suricata.yaml config file.
  2. Set outputs.eve-log.types.alert.metadata to no.
  3. Set outputs.eve-log.types.alert.http-body and/or outputs.eve-log.types.alert.http-body-printable to yes.
  4. Generate HTTP traffic that will cause some alert to trigger.

Actual results
There is no http-body/http-body-response data in the eve-log. If this is by design, I was not able to find documentation supporting it.

Expected results
This behavior should at a minimum be documented. It would be more self-documented if the config option was nested under the metadata config option.

Actions #1

Updated by Eric Urban over 3 years ago

The current default config from suricata.yaml makes this confusing since the other options indented to the same level as http-body are not dependent on another config option at that same level in order to be enabled. For example, payload will be logged regardless of whether or not packet or metadata are enabled.

types:
   - alert:
     # payload: yes             # enable dumping payload in Base64
     # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
     # payload-printable: yes   # enable dumping payload in printable (lossy) format
     # packet: yes              # enable dumping of packet (without stream segments)
     # http-body: yes           # enable dumping of http body in Base64
     # http-body-printable: yes # enable dumping of http body in printable format
     metadata: yes              # add L7/applayer fields, flowbit and other vars to the alert
Actions #2

Updated by Victor Julien about 3 years ago

  • Assignee set to OISF Dev
Actions #3

Updated by Andreas Herz almost 3 years ago

  • Target version set to TBD
Actions #4

Updated by Andreas Herz almost 3 years ago

  • Status changed from New to Assigned

I agree that this might be confusing, we will think about a better way of documenting that.

Actions #5

Updated by Victor Julien over 2 years ago

  • Assignee changed from OISF Dev to Jeff Lucovsky
  • Priority changed from Low to Normal
  • Target version changed from TBD to 5.0.0
Actions #6

Updated by Jeff Lucovsky over 2 years ago

  • Effort set to low
  • Difficulty set to low
Actions #7

Updated by Victor Julien over 2 years ago

  • Status changed from Assigned to Closed
Actions #8

Updated by Victor Julien over 2 years ago

  • Tracker changed from Support to Optimization
  • Affected Versions deleted (4.0.5)
Actions #9

Updated by Victor Julien over 2 years ago

  • Tracker changed from Optimization to Documentation
Actions

Also available in: Atom PDF