• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Suricata Filestore - logging HTTP nonstop

Scheduled Pinned Locked Moved IDS/IPS
2 Posts 2 Posters 751 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    michmoor LAYER 8 Rebel Alliance
    last edited by michmoor Jan 2, 2025, 4:21 PM Jan 2, 2025, 4:20 PM

    I have filestore working but it seems to be logging HTTP/SMB only where as the eve.json log selection doesn't include HTTP.
    This is after a few Suricata restarts.
    It just really wants to log HTTP for some reason. @bmeeks Any idea?

    78479e0a-2068-4d15-908c-333f642b6a43-image.png

    f0950b36-9d07-4a0e-8d74-b5daa2ee8fda-image.png

    Firewall: NetGate,Palo Alto-VM,Juniper SRX
    Routing: Juniper, Arista, Cisco
    Switching: Juniper, Arista, Cisco
    Wireless: Unifi, Aruba IAP
    JNCIP,CCNP Enterprise

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by Jan 2, 2025, 11:05 PM

      Those are two independent things: File Store versus EVE JSON http logging. File Store captures all file transfers where appropriate flow bits are set by rules. EVE JSON logging is about capturing the packet metadata and payload (when enabled).

      So, turning off HTTP logging in the EVE JSON logging options should remove logging of HTTP packet metadata, but that will not stop File Store activity related to HTTP. To the best of my recollection that is triggered by the rules you have enabled for file capture and the corresponding flowbits they may set.

      1 Reply Last reply Reply Quote 1
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received