Hello every one, i’m running the rule 2008453 and alert is triggered but in my pcap i only see ip/tcp stack and not http stack or sometimes one in two ? What’s is maybe the problem ?
Maybe you should turn on the request log sava to Pcap at suricata.yaml?
First of all, what version are you using and how did you configure it?
Do you see different events for the same alert? Check the flow_id for the event_type alert and compare it to other event_types like http.