Suricata

Hi,

On my Suricata, I don't get 100% of the HTTP events in the EVE file, only some HTTP events, but not all.

Here is my configuration with Suricata :

- Suricata is running on a box with a network interface getting all the traffic from several VLANs
- The traffic is sent to the Suricata box using a port mirroring on my switch
- The suricata configuration is very simple, pretty the same as the default configuration when you install suricata package on Ubuntu 18

What I observed is that if I start a tcpdump, I see all the HTTP traffic hitting the suricata network interface. But at the end, only few HTTP events are written to the EVE file, not all of them.
Moreover, I noticed that it depends on the network/VLAN from which the traffic is coming :

- All the HTTP events coming from my network 172.20.20.0/24 are caught correctly
- All the HTTP events coming from my network 172.20.1.0/24 are missed (no event written in the EVE file)

I've attached to this case a tcpdump started on the suricata box. You can see in this dump there are HTTP requests/responses coming from both 172.20.20.167 and 172.20.1.206
But if I run my suricata (v4.0.5) on this pcap, there are only HTTP events from 172.20.20.167 in the EVE file : (the HTTP events from 172.20.1.206 are missed)

suricata -r http_issue.pcap -l logs

Could you help ?

Thank you

/Michael