Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Filestore - logging HTTP nonstop

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    2
    567
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by michmoor

      I have filestore working but it seems to be logging HTTP/SMB only where as the eve.json log selection doesn't include HTTP.
      This is after a few Suricata restarts.
      It just really wants to log HTTP for some reason. @bmeeks Any idea?

      78479e0a-2068-4d15-908c-333f642b6a43-image.png

      f0950b36-9d07-4a0e-8d74-b5daa2ee8fda-image.png

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Those are two independent things: File Store versus EVE JSON http logging. File Store captures all file transfers where appropriate flow bits are set by rules. EVE JSON logging is about capturing the packet metadata and payload (when enabled).

        So, turning off HTTP logging in the EVE JSON logging options should remove logging of HTTP packet metadata, but that will not stop File Store activity related to HTTP. To the best of my recollection that is triggered by the rules you have enabled for file capture and the corresponding flowbits they may set.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.