Documentation #2640: http-body and http-body-printable in eve-log require metadata to be enabled, yet there is no indication of this anywhere - Suricata - Open Information Security Foundation

Actions

Documentation #2640

closed

EU JL

http-body and http-body-printable in eve-log require metadata to be enabled, yet there is no indication of this anywhere

Documentation #2640: http-body and http-body-printable in eve-log require metadata to be enabled, yet there is no indication of this anywhere

Added by Eric Urban over 7 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jeff Lucovsky

Target version:

5.0.0

Affected Versions:

Effort:

low

Difficulty:

low

Label:

Description

Summary
In Suricata when enabling outputs.eve-log.types.alert.http-body or .http-body-printable, it is required that either outputs.eve-log.types.alert.metadata or outputs.eve-log.types.alert.http be enabled. Otherwise there is no output in the eve-log.

If this is intentional to require metadata be enabled, then it should at least be documented in the standard documentation and/or in suricata.yaml next to the config option. Another suggestion would be to have this embedded under outputs.eve-log.types.alert.metadata or .http if metadata is required in order for body logging to occur.

Steps to reproduce

Start with the default suricata.yaml config file.
Set outputs.eve-log.types.alert.metadata to no.
Set outputs.eve-log.types.alert.http-body and/or outputs.eve-log.types.alert.http-body-printable to yes.
Generate HTTP traffic that will cause some alert to trigger.

Actual results
There is no http-body/http-body-response data in the eve-log. If this is by design, I was not able to find documentation supporting it.

Expected results
This behavior should at a minimum be documented. It would be more self-documented if the config option was nested under the metadata config option.

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries