HTTP rule does not detect http.uri after a certain time

Help
,
1

Hello,

I am currently running Suricata version 6.0.15 (downgraded from 7.0.4, which gave the same issue) on Ubuntu 22.0.4 (installed with packages). Everything runs decently, however I’m having trouble with some rules when running in offline mode that look at http traffic like the following:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GAI RULESET - ChatGPT - User Prompt Detected (POST)"; http.uri; content:"/backend-api/conversation"; sid:1000003; rev:1;)

The PCAP I use has a single stream of around 5 minutes with 36 Post requests that should match, however only the first 17 match that happen within the first minute when looking at the fast.log:

11/15/2023-15:20:56.287733  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:20:58.372631  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:20:58.393296  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:42782 -> 172.64.150.28:80
11/15/2023-15:20:58.393296  [**] [1:1000004:1] GAI RULESET - ChatGPT - Conversation History Request(GET) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:42782 -> 172.64.150.28:80
11/15/2023-15:20:58.567796  [**] [1:1000005:1] GAI RULESET - ChatGPT - Server Prompt Completion Response Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.64.150.28:80 -> 192.168.72.129:35694
11/15/2023-15:21:00.391954  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:00.391954  [**] [1:1000004:1] GAI RULESET - ChatGPT - Conversation History Request(GET) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:00.933283  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:01.068716  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:42782 -> 172.64.150.28:80
11/15/2023-15:21:02.521842  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:02.717245  [**] [1:1000005:1] GAI RULESET - ChatGPT - Server Prompt Completion Response Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.64.150.28:80 -> 192.168.72.129:35694
11/15/2023-15:21:04.469988  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:05.425357  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:05.608740  [**] [1:1000005:1] GAI RULESET - ChatGPT - Server Prompt Completion Response Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.64.150.28:80 -> 192.168.72.129:35694
11/15/2023-15:21:08.462039  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:10.223822  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:10.443143  [**] [1:1000005:1] GAI RULESET - ChatGPT - Server Prompt Completion Response Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.64.150.28:80 -> 192.168.72.129:35694
11/15/2023-15:21:12.887178  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:14.649310  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:14.827304  [**] [1:1000005:1] GAI RULESET - ChatGPT - Server Prompt Completion Response Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.64.150.28:80 -> 192.168.72.129:35694
11/15/2023-15:21:16.651432  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:19.236464  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:19.427637  [**] [1:1000005:1] GAI RULESET - ChatGPT - Server Prompt Completion Response Detected [**] [Classification: (null)] [Priority: 3] {TCP} 172.64.150.28:80 -> 192.168.72.129:35694
11/15/2023-15:21:31.156160  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80
11/15/2023-15:21:44.351752  [**] [1:1000003:1] GAI RULESET - ChatGPT - User Prompt Detected (POST) [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.72.129:35694 -> 172.64.150.28:80

I figured this might be related to some kind of limit, however after troubleshooting for hours I have no clue how to resolve this. Both the eve.json logs and the http logs (which I turned on) don’t show the uri’s after this aswell.

I hope someone here can help me out.

Thanks in advance!

2

Please post the run command you use for Suricata, the stats.log, suricata.log, suricata.yaml config and ideally the pcap to try to reproduce it.