Support #2768
closedSome HTTP events are not written to EVE file
Description
Hi,
On my Suricata, I don't get 100% of the HTTP events in the EVE file, only some HTTP events, but not all.
Here is my configuration with Suricata :
- Suricata is running on a box with a network interface getting all the traffic from several VLANs
- The traffic is sent to the Suricata box using a port mirroring on my switch
- The suricata configuration is very simple, pretty the same as the default configuration when you install suricata package on Ubuntu 18
What I observed is that if I start a tcpdump, I see all the HTTP traffic hitting the suricata network interface. But at the end, only few HTTP events are written to the EVE file, not all of them.
Moreover, I noticed that it depends on the network/VLAN from which the traffic is coming :
- All the HTTP events coming from my network 172.20.20.0/24 are caught correctly
- All the HTTP events coming from my network 172.20.1.0/24 are missed (no event written in the EVE file)
I've attached to this case a tcpdump started on the suricata box. You can see in this dump there are HTTP requests/responses coming from both 172.20.20.167 and 172.20.1.206
But if I run my suricata (v4.0.5) on this pcap, there are only HTTP events from 172.20.20.167 in the EVE file : (the HTTP events from 172.20.1.206 are missed)
suricata -r http_issue.pcap -l logs
Could you help ?
Thank you
/Michael
Files