In the case of HTTP keep-live, the response information is wrong

710425820 · July 26, 2024, 2:45am

system info:
NAME=“Ubuntu”
VERSION=“20.04.5 LTS (Focal Fossa)”

suricata info:
This is Suricata version 7.0.5 RELEASE

pcap info:
3@240725h15-oGdjJqPGpZBJI51Sr-c7NlPO.pcap (9.6 KB)

arkime info:

suricata eve.log info

{"timestamp":"2024-07-25T15:23:30.593394+0000","flow_id":418793524803631,"in_iface":"ens35f0","event_type":"alert","vlan":[25],"src_ip":"117.21.43.38","src_port":28798,"dest_ip":"117.184.223.26","dest_port":80,"proto":"TCP","pkt_src":"wire/pcap","metadata":{"flowbits":["session.sensitive_file_special"]},"tx_id":1,"alert":{"action":"allowed","gid":212669,"signature_id":1,"rev":0,"signature":"git敏感文件探测","category":"","severity":3,"metadata":{"attack_result":["1"]}},"http":{"hostname":"bob.ztgame.com","url":"/images../.git/config","http_user_agent":"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36","xff":"47.103.195.220","http_content_type":"text/xml","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":982,"http_response_body":"PD94bWwgdmVyc2lvbj0iMS4wIj8+CjxDb25maWc+Cgk8c2xvZ2FuIHBpYz0iaHR0cHM6Ly9jZG4xLmJhdHRsZW9mYmFsbHMuY29tL3BpYy9nYW1lbG9nby9nYW1lbG9nb18yMDI0MDcyNFIxLnBuZyIgcGljX3Bvcz0iMCwtMjY1LDAiLz4KCTwhLS1zaGllbGR2ZXI9IjE3LjUuMSIgIOWvueW6lOeahOeJiOacrOWPt++8jOWuoeaguOWhq+WGme+8jOW/hemhu+Wkp+S6jue6v+S4iueahOeJiOacrCxJT1PpnIDopoHloavlhplzaGllbGQ9IjEsMiIg5a6J5Y2T5aGr5YaZc2hpZWxkPSIyIi0tPgoJPCEtLeS4i+aWuUlPU+aPkOWuoeS4k+eUqO+8jOeJiOacrOWPt+avj+asoeabv+aNou+8jOi1hOa6kOebruW9leS4jeWPmCItLT4KCTwhLS10ZW1wcmVzIGRldmljZT0iaW9zIiB2ZXJzaW9uPSIxOS4yLjUiIHNvdXJjZXZlcj0iMjI2MCIvLS0+Cgk8aXRlbSBkZXZpY2U9ImFuZHJvaWQiIENoYW5uZWw9InFhdGVzdCIgIAkJCQlmb3JjZVVwZGF0ZT0iMTguNy4wIiAgdGlwVXBkYXRlPSIxOS4yLjUiICBkb3dubG9hZD0iaHR0cHM6Ly9hdC51bXRyYWNrLmNvbS9DQ1N2Q20iIGRvd25Xb3JkPSLlj5HnjrDmlrDniYjmnKws5pu05paw5Y+v5L2T6aqM5pu05aSa546p5rOV5bm26aKG5Y+W5aSn6YeP5aW956S8LFxu54K55Ye75YmN5b6A5pu05paw77yBIi8+Cgk8aXRlbSBkZXZpY2U9ImFuZHJvaWQiIENoYW5uZWw9IlRlc3RDaGFubmVsIiAgCQkJZm9yY2VVcGRhdGU9IjE4LjcuMCIgIHRpcFVwZGF0ZT0iMTguNy4wIiAgZG93bmxvYWQ9Imh0dHBzOi8vYXQudW10cmFjay5jb20vQ0NTdkNtIiBkb3duV29yZD0i5Y+R546w5paw54mI5pysLOabtOaWsOWPr+S9k+mqjOabtOWkmueOqeazleW5tumihuWPluWkp+mHj+WlveekvCxcbueCueWHu+WJjeW+gOabtOaWsO+8gSIvPgoJPGl0ZW0gZGV2aWNlPSJhbmRyb2lkIiBDaGFubmVsPSJib2JiZXRhIiAJICAJCQlmb3JjZVVwZGF0ZT0iMTQuMC4wIiAgdGlwVXBkYXRlPSIxNC4wLjAiICBkb3dubG9hZA=="},"app_proto":"http","direction":"to_server","flow":{"pkts_toserver":6,"pkts_toclient":10,"bytes_toserver":1552,"bytes_toclient":7515,"start":"2024-07-25T15:23:21.883939+0000","src_ip":"117.21.43.38","dest_ip":"117.184.223.26","src_port":28798,"dest_port":80},"payload":"R0VUIC9pbWFnZXMuLi8uZ2l0L2NvbmZpZyBIVFRQLzEuMQ0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4zOyBXT1c2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzQxLjAuMjIyNi4wIFNhZmFyaS81MzcuMzYNCkFjY2VwdDogKi8qDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXANCjU1NjMzNDFjNmI2YmMzYTZmYWRmYjZhOTgyMGJlMTgxOiB0YWcNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNClgtVGVuY2VudC1VYTogUWNsb3VkDQpYLUZvcndhcmRlZC1Gb3I6IDQ3LjEwMy4xOTUuMjIwDQpYLUZvcndhcmRlZC1Qcm90bzogaHR0cA0KYzU5NTY0NTFhYTRiNmMxOWM4YjMxYmFlM2JiMTE1OWU6IHRhZw0KYjM1ZTA3Njg3Y2NjN2RlYzg5OGNhMDE1ZTZjYjM3OGQ6IHRhZw0KVGVuY2VudC1BY2NlbGVyYXRpb24tRG9tYWluLU5hbWU6IGJvYi56dGdhbWUuY29tDQpYLU5XUy1MT0ctVVVJRDogMTA4MzU3NTYyMjQ1MzczNDA0MDQNCmUwODViYWJjMTdiMzFmOWUyYjJiN2U4MzYyZTU2YmJjOiB0YWcNCkhvc3Q6IGJvYi56dGdhbWUuY29tDQoNCkdFVCAvdmVyc2lvbi54bWw/MTcyMTk0OTg2MTAzOS41IEhUVFAvMS4xDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCkFjY2VwdDogKi8qDQpVc2VyLUFnZW50OiBiYWxscy8xOS4yLjUgQ0ZOZXR3b3JrLzE0OTYuMC43IERhcndpbi8yMy41LjANCkNvbnRlbnQtTGVuZ3RoOiAwDQpBY2NlcHQtTGFuZ3VhZ2U6IHpoLUNOLHpoLUhhbnM7cT0wLjkNClgtVW5pdHktVmVyc2lvbjogMjAyMi4zLjEwZjENCjU2NGVkZTU0OGUxMjU3NDQyOWE4ZTA2MjFiMTM4MGIwOiB0YWcNClgtVGVuY2VudC1VYTogUWNsb3VkDQpYLUZvcndhcmRlZC1Gb3I6IDE4Mi4xMDQuODcuMTk1DQpYLUZvcndhcmRlZC1Qcm90bzogaHR0cA0KNWM5ZmQ3NWVkMzIzMzZlYWRiZDk5ZDU3MGI0ZGRlOTc6IHRhZw0KVGVuY2VudC1BY2NlbGVyYXRpb24tRG9tYWluLU5hbWU6IGFwcC5iYXR0bGVvZmJhbGxzLmNvbQ0KWC1OV1MtTE9HLVVVSUQ6IDcyMTczNTU4OTE0MDM3OTIxMTkNCmUwODViYWJjMTdiMzFmOWUyYjJiN2U4MzYyZTU2YmJjOiB0YWcNCkhvc3Q6IGFwcC5iYXR0bGVvZmJhbGxzLmNvbQ0KDQo=","stream":1}

suricata http.log info:

{"alerted":true,"event_type":"alert","http":{"time_since_request":9,"http_response_header":"X-Server: 117.184.223.26\nConnection: keep-alive\nDate: Thu, 25 Jul 2024 15:24:21 GMT\nContent-Type: text\/xml\nETag: \"66a14343-1745\"\nContent-Length: 5957\nLast-Modified: Wed, 24 Jul 2024 18:09:07 GMT\nAccept-Ranges: bytes\nServer: nginx\n","http_response_body":"PD94bWwgdmVyc2lvbj0iMS4wIj8+CjxDb25maWc+Cgk8c2xvZ2FuIHBpYz0iaHR0cHM6Ly9jZG4xLmJhdHRsZW9mYmFsbHMuY29tL3BpYy9nYW1lbG9nby9nYW1lbG9nb18yMDI0MDcyNFIxLnBuZyIgcGljX3Bvcz0iMCwtMjY1LDAiLz4KCTwhLS1zaGllbGR2ZXI9IjE3LjUuMSIgIOWvueW6lOeahOeJiOacrOWPt++8jOWuoeaguOWhq+WGme+8jOW\/hemhu+Wkp+S6jue6v+S4iueahOeJiOacrCxJT1PpnIDopoHloavlhplzaGllbGQ9IjEsMiIg5a6J5Y2T5aGr5YaZc2hpZWxkPSIyIi0tPgoJPCEtLeS4i+aWuUlPU+aPkOWuoeS4k+eUqO+8jOeJiOacrOWPt+avj+asoeabv+aNou+8jOi1hOa6kOebruW9leS4jeWPmCItLT4KCTwhLS10ZW1wcmVzIGRldmljZT0iaW9zIiB2ZXJzaW9uPSIxOS4yLjUiIHNvdXJjZXZlcj0iMjI2MCIvLS0+Cgk8aXRlbSBkZXZpY2U9ImFuZHJvaWQiIENoYW5uZWw9InFhdGVzdCIgIAkJCQlmb3JjZVVwZGF0ZT0iMTguNy4wIiAgdGlwVXBkYXRlPSIxOS4yLjUiICBkb3dubG9hZD0iaHR0cHM6Ly9hdC51bXRyYWNrLmNvbS9DQ1N2Q20iIGRvd25Xb3JkPSLlj5HnjrDmlrDniYjmnKws5pu05paw5Y+v5L2T6aqM5pu05aSa546p5rOV5bm26aKG5Y+W5aSn6YeP5aW956S8LFxu54K55Ye75YmN5b6A5pu05paw77yBIi8+Cgk8aXRlbSBkZXZpY2U9ImFuZHJvaWQiIENoYW5uZWw9IlRlc3RDaGFubmVsIiAgCQkJZm9yY2VVcGRhdGU9IjE4LjcuMCIgIHRpcFVwZGF0ZT0iMTguNy4wIiAgZG93bmxvYWQ9Imh0dHBzOi8vYXQudW10cmFjay5jb20vQ0NTdkNtIiBkb3duV29yZD0i5Y+R546w5paw54mI5pysLOabtOaWsOWPr+S9k+mqjOabtOWkmueOqeazleW5tumihuWPluWkp+mHj+WlveekvCxcbueCueWHu+WJjeW+gOabtOaWsO+8gSIvPgoJPGl0ZW0gZGV2aWNlPSJhbmRyb2lkIiBDaGFubmVsPSJib2JiZXRhIiAJICAJCQlmb3JjZVVwZGF0ZT0iMTQuMC4wIiAgdGlwVXBkYXRlPSIxNC4wLjAiICBkb3dubG9hZD0iaHR0cHM6Ly9hdC51bXRyYWNrLmNvbS9IOWJpcWkiLz4KCTxpdGVtIGRldmljZT0iYW5kcm9pZCIgQ2hhbm5lbD0iYm9iYmV0YV90YXB0YXAiIAkJZm9yY2VVcGRhdGU9IjEzLjEuNyIgIHRpcFVwZGF0ZT0iMTMuMS43IiAgZG93bmxvYWQ9Imh0dHBzOi8vYXQudW10cmFjay5jb20vSDliaXFpIi8+Cgk8aXRlbSBkZXZpY2U9ImFuZHJvaWQiIENoYW5uZWw9ImJvYmJldGFfNDM5OSIgCQkJZm9yY2VVcGRhdGU9IjEzLjEuNyIgIHRpcFVwZGF0ZT0iMTMuMS43IiAgZG93bmxvYWQ9Imh0dHBzOi8vYXQudW10cmFjay5jb20vSDliaXFpIi8+Cgk8aXRlbSBkZXZpY2U9ImFuZHJvaWQiIENoYW5uZWw9ImJvYmJldGFfaGFveW91a3VhaWJhbyIgCWZvcmNlVXBkYXRlPSIxMy4xLjciICB0aXBVcGRhdGU9IjEzLjEuNyIgIGRvd25sb2FkPSJodHRwczovL2F0LnVtdHJhY2suY29tL0g5YmlxaSIvPgoJPGl0ZW0gZGV2aWNlPSJhbmRyb2lkIiBDaGFubmVsPSJib2JiZXRhXzIzMyIgCQkJZm9yY2VVcGRhdGU9IjEzLjEuNyIgIHRpcFVwZGF0ZT0iMTMuMS43IiAgZG93bmxvYWQ9Imh0dHBzOi8vYXQudW10cmFjay5jb20vSDliaXFpIi8+Cgk8aXRlbSBkZXZpY2U9ImFuZHJvaWQiIENoYW5uZWw9ImJvYmJldGFfYmVhbnNzaGFyZSIgCWZvcmNlVXBkYXRlPSIxMy4xLjciICB0aXBVcGRhdGU9IjEzLjEuNyIgIGRvd25sb2FkPSJodHRwczovL2F0LnVtdHJhY2suY29tL0g5YmlxaSIvPgoJPGl0ZW0gZGV2aWNlPSJhbmRyb2lkIiBDaGFubmVsPSJib2JiZXRhX3lvd2EiIAkJCWZvcmNlVXBkYXRlPSIxMy4xLjciICB0aXBVcGRhdGU9IjEzLjEuNyIgIGRvd25sb2FkPSJodHRwczovL2F0LnVtdHJhY2suY29tL0g5YmlxaSIvPgoJPGl0ZW0gZGV2aWNlPSJhbmRyb2lkIiBDaGFubmVsPSJib2JiZXRhX3dhaHl4IiAJCQlmb3JjZVVwZGF0ZT0iMTMuMS43IiAgdGlwVXBkYXRlPSIxMy4xLjciICBkb3dubG9hZD0iaHR0cHM6Ly9hdC51bXRyYWNrLmNvbS9IOWJpcWkiLz4KCTxpdGVtIGRldmljZT0iYW5kcm9pZCIgQ2hhbm5lbD0iVFYiIAkJICAJCQlmb3JjZVVwZGF0ZT0iNy40LjAiICAgdGlwVXBkYXRlPSI3LjQuMCIgICBkb3dubG9hZD0iaHR0cDovL2Rvd25sb2FkMDEuYmF0dGxlb2ZiYWxscy5jb20vYm9iXzExLjAuMFIxLmFwayIvPgoJPGl0ZW0gZGV2aWNlPSJhbmRyb2lkIiBDaGFubmVsPSJxaXVxaXUyIiAJICAJCQlmb3JjZVVwZGF0ZT0iMTAuMC4wIiAgdGlwVXBkYXRlPSIxMC4wLjAiICBkb3dubG9hZD0iaHR0cDovL2Rvd25sb2FkMDEuYmF0dGxlb2ZiYWxscy5jb20vYm9iXzExLjAuMFIxLmFwayIvPgoJPGl0ZW0gZGV2aWNlPSJhbmRyb2lkIiBDaGFubmVsPSJUZXN0Q2hhbm5lbFRlc3QiIAkgIAlmb3JjZVVwZGF0ZT0iMTkuMC4wIiAgdGlwVXBkYXRlPSIxOS4wLjAiICBkb3dubG9hZD0iaHR0cHM6Ly9hdC51bXRyYWNrLmNvbS9DQ1N2Q20iIGRvd25Xb3JkPSLlj5HnjrDmlrDniYjmnKws5pu05paw5Y+v5L2T6aqM5pu05aSa546p5rOV5bm26aKG5Y+W5aSn6YeP5aW956S8LFxu54K55Ye75YmN5b6A5pu05paw77yBIi8+Cgk8aXRlbSBkZXZpY2U9ImFuZHJvaWQiIENoYW5uZWw9IlRlc3RDaGFubmVsQWxwaGEiIAkgIAlmb3JjZVVwZGF0ZT0iMTcuMi4wIiAgdGlwVXBkYXRlPSIxNy4yLjAiICBkb3dubG9hZD0iaHR0cHM6Ly9hdC51bXRyYWNrLmNvbS9DQ1N2Q20iLz4KCTwhLS1pT1MtLT4KCTxpdGVtIGRldmljZT0iaW9zIiAgICAgQ2hhbm5lbD0iVGVzdENoYW5uZWwiICAJCQlmb3JjZVVwZGF0ZT0iMTkuMC4wIiAgdGlwVXBkYXRlPSIxOS4yLjMiICBkb3dubG9hZD0iaHR0cHM6Ly9hcHBzLmFwcGxlLmNvbS9jbi9hcHAvaWQ5OTY1MDkxMTciIGRvd25Xb3JkPSLmnInmlrDnmoTlrqLmiLfnq6\/niYjmnKzpnIDopoHmm7TmlrAsXG7ngrnlh7vliY3lvoDmm7TmlrDmiJbmn6XnnItBcHBTdG9yZeabtOaWsOWIl+ihqCIvPgoJPGl0ZW0gZGV2aWNlPSJpb3MiICAgICBDaGFubmVsPSJib2JiZXRhIiAJICAJCQlmb3JjZVVwZGF0ZT0iMTMuMS41IiAgdGlwVXBkYXRlPSIxMy4xLjUiICBkb3dubG9hZD0iaHR0cHM6Ly9hdC51bXRyYWNrLmNvbS9hYXFpZWkiLz4KCTxpdGVtIGRldmljZT0iaW9zIiAgICAgQ2hhbm5lbD0iVGVzdENoYW5uZWxUZXN0IiAJCWZvcmNlVXBkYXRlPSIxNy4yLjAiICB0aXBVcGRhdGU9IjE3LjIuMCIgIGRvd25sb2FkPSJodHRwczovL2FwcHMuYXBwbGUuY29tL2NuL2FwcC9pZDk5NjUwOTExNyIvPgoJPCEtLeW5v+WRii0tPgoJPGl0ZW0gZGV2aWNlPSJhbmRyb2lkIiBDaGFubmVsPSJndWFuZ2dhbyIgICAgIAkJCWZvcmNlVXBkYXRlPSIxOC43LjEiICB0aXBVcGRhdGU9IjE4LjcuMSIgIGRvd25sb2FkPSJodHRwczovL2F0LnVtdHJhY2suY29tL0NDU3ZDbSIgZG93bldvcmQ9IuWPkeeOsOaWsOeJiOacrCzmm7TmlrDlj6\/kvZPpqozmm7TlpJrnjqnms5Xlubbpooblj5blpKfph4\/lpb3npLwsXG7ngrnlh7vliY3lvoDmm7TmlrDvvIEiLz4KCTxpdGVtIGRldmljZT0iYW5kcm9pZCIgQ2hhbm5lbD0iZ3VhbmdnYW9fbmV3YmllIiAgICAgCWZvcmNlVXBkYXRlPSIxOC43LjEiICB0aXBVcGRhdGU9IjE4LjcuMSIgIGRvd25sb2FkPSJodHRwczovL2F0LnVtdHJhY2suY29tL0NDU3ZDbSIgZG93bldvcmQ9IuWPkeeOsOaWsOeJiOacrCzmm7TmlrDlj6\/kvZPpqozmm7TlpJrnjqnms5Xlubbpooblj5blpKfph4\/lpb3npLwsXG7ngrnlh7vliY3lvoDmm7TmlrDvvIEiLz4KCTwhLS3mipbpn7PmuKDpgZMtLT4KCTxpdGVtIGRldmljZT0iYW5kcm9pZCIgQ2hhbm5lbD0iZG91eWluX2NoYW5uZWwiICAJCWZvcmNlVXBkYXRlPSIxNy4zLjEiICB0aXBVcGRhdGU9IjE3LjMuMSIgIGRvd25sb2FkPSJodHRwczovL2F0LnVtdHJhY2suY29tL0NDU3ZDbSIvPgoJPCEtLeaKlumfs+WumOaWueWMhS0tPgoJPGl0ZW0gZGV2aWNlPSJhbmRyb2lkIiBDaGFubmVsPSJkb3V5aW5fbmV3YmllIiAgCQlmb3JjZVVwZGF0ZT0iMTcuMy4xIiAgdGlwVXBkYXRlPSIxNy4zLjEiICBkb3dubG9hZD0iaHR0cHM6Ly9hdC51bXRyYWNrLmNvbS9DQ1N2Q20iLz4KCTwhLS3lsI\/nsbPmuKDpgZMtLT4KCTxpdGVtIGRldmljZT0iYW5kcm9pZCIgQ2hhbm5lbD0ieGlhb21pX2NoYW5uZWwiICAJCWZvcmNlVXBkYXRlPSIxNy4zLjEiICB0aXBVcGRhdGU9IjE3LjMuMSIgIGRvd25sb2FkPSJodHRwOi8vYXBwLnhpYW9taS5jb20vZGV0YWlsLzE1Mzk2ODMiLz4KCTwhLS3ljY7kuLrmuKDpgZMtLT4KCTxpdGVtIGRldmljZT0iYW5kcm9pZCIgQ2hhbm5lbD0iaHVhd2VpX2NoYW5uZWwiICAJCWZvcmNlVXBkYXRlPSIxNy4zLjEiICB0aXBVcGRhdGU9IjE3LjMuMSIgIGRvd25sb2FkPSJodHRwczovL3VybC5jbG91ZC5odWF3ZWkuY29tL241bURiOTdyazQiLz4KCTwhLS3ljY7kuLrojaPogIDmuKDpgZMtLT4KCTxpdGVtIGRldmljZT0iYW5kcm9pZCIgQ2hhbm5lbD0iaG9ub3JfY2hhbm5lbCIgIAkJZm9yY2VVcGRhdGU9IjE3LjMuMSIgIHRpcFVwZGF0ZT0iMTcuMy4xIiAgZG93bmxvYWQ9Imh0dHBzOi8vYXQudW10cmFjay5jb20vQ0NTdkNtIi8+Cgk8IS0tb3Bwb+a4oOmBk++8jDMg55WM6Z2i5aKe5Yqg5a6i5pyNUVHvvIzlj6rmnIlPUFBP5YqgLS0+Cgk8aXRlbSBkZXZpY2U9ImFuZHJvaWQiIENoYW5uZWw9Im9wcG9fY2hhbm5lbCIgIAkJICAgIGZvcmNlVXBkYXRlPSIxNy4zLjEiICB0aXBVcGRhdGU9IjE3LjMuMSIgIGRvd25sb2FkPSJodHRwczovL2F0LnVtdHJhY2suY29tL0NDU3ZDbSIvPgoJPCEtLXZpdm\/muKDpgZMtLT4KCTxpdGVtIGRldmljZT0iYW5kcm9pZCIgQ2hhbm5lbD0idml2b19jaGFubmVsIiAgCQkgICAgZm9yY2VVcGRhdGU9IjE3LjMuMSIgIHRpcFVwZGF0ZT0iMTcuMy4xIiAgZG93bmxvYWQ9Imh0dHBzOi8vYXQudW10cmFjay5jb20vQ0NTdkNtIi8+Cgk8IS0ta3VhaXNob3XmuKDpgZMtLT4KCTxpdGVtIGRldmljZT0iYW5kcm9pZCIgQ2hhbm5lbD0ia3VhaXNob3VfY2hhbm5lbCIgIAkJZm9yY2VVcGRhdGU9IjE3LjMuMSIgIHRpcFVwZGF0ZT0iMTcuMy4xIiAgZG93bmxvYWQ9Imh0dHBzOi8vYXQudW10cmFjay5jb20vQ0NTdkNtIi8+Cgk8IS0tNzcyM+a4oOmBky0tPgoJPGl0ZW0gZGV2aWNlPSJhbmRyb2lkIiBDaGFubmVsPSI3NzIzX2NoYW5uZWwiICAJCSAgICBmb3JjZVVwZGF0ZT0iMTcuMy4xIiAgdGlwVXBkYXRlPSIxNy4zLjEiICBkb3dubG9hZD0iaHR0cDovL3MuNzcyMy5jbi8yMDIzMDYxNTE5NDQvYWQyYTdlYThmMTIwOGJmNmQzZmJmNTRiMDA5MDg2NTMvZ2FtZS8xMTQ0NDkiLz4KCTwhLS0yMzPmuKDpgZMtLT4KCTxpdGVtIGRldmljZT0iYW5kcm9pZCIgQ2hhbm5lbD0iMjMzX2NoYW5uZWwiICAJCSAgICBmb3JjZVVwZGF0ZT0iMTcuMy4xIiAgdGlwVXBkYXRlPSIxNy4zLjEiICBkb3dubG9hZD0iaHR0cHM6Ly9hdC51bXRyYWNrLmNvbS9DQ1N2Q20iLz4KCTwhLS00Mzk5IENQU+a4oOmBk++8jOS4jeaOpVNESy0tPgoJPGl0ZW0gZGV2aWNlPSJhbmRyb2lkIiBDaGFubmVsPSI0Mzk5X25ld2JpZSIgIAkJICAgIGZvcmNlVXBkYXRlPSIxOC43LjAiICB0aXBVcGRhdGU9IjE4LjcuMCIgIGRvd25sb2FkPSJodHRwOi8vYS40Mzk5LmNuL21vYmlsZS84MjcxNC5odG1sP2Zyb209eXhoIi8+Cgk8IS0t5aW95ri45b+r54iG5rig6YGT77yMQ1BT5rig6YGT77yM5LiN5o6lU0RLLS0+Cgk8aXRlbSBkZXZpY2U9ImFuZHJvaWQiIENoYW5uZWw9Imhhb3lvdWt1YWliYW9fbmV3YmllIiAgIGZvcmNlVXBkYXRlPSIxOC43LjAiICB0aXBVcGRhdGU9IjE4LjcuMCIgIGRvd25sb2FkPSJodHRwczovL3d3dy4zODM5LmNvbS9hLzU4NTgxLmh0bT9mcm9tPWh5a2IiLz4KCTwhLS10YXB0YXAgQ1BT5rig6YGT77yM5LiN5o6lU0RLLS0+Cgk8aXRlbSBkZXZpY2U9ImFuZHJvaWQiIENoYW5uZWw9InRhcHRhcF9uZXdiaWUiICAJCWZvcmNlVXBkYXRlPSIxNy4zLjEiICB0aXBVcGRhdGU9IjE3LjMuMSIgIGRvd25sb2FkPSJodHRwczovL2F0LnVtdHJhY2suY29tL0NDU3ZDbSIvPgo8L0NvbmZpZz4=","response_line":"HTTP\/1.1 200 OK","url":"\/images..\/.git\/config","request_line":"GET \/images..\/.git\/config HTTP\/1.1","hostname":"bob.ztgame.com","http_request_header":"X-Forwarded-For: 47.103.195.220\nHost: bob.ztgame.com\nConnection: keep-alive\nAccept: *\/*\ne085babc17b31f9e2b2b7e8362e56bbc: tag\nX-NWS-LOG-UUID: 10835756224537340404\nAccept-Encoding: gzip\nTencent-Acceleration-Domain-Name: bob.ztgame.com\nb35e07687ccc7dec898ca015e6cb378d: tag\nc5956451aa4b6c19c8b31bae3bb1159e: tag\nX-Forwarded-Proto: http\n5563341c6b6bc3a6fadfb6a9820be181: tag\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2226.0 Safari\/537.36\nX-Tencent-Ua: Qcloud\nAccept-Language: en\n"},"tx_id":1,"flow_id":"418793524803631"}
{"alerted":true,"event_type":"alert","http":{"time_since_request":27,"http_response_header":"","url":"\/version.xml?1721949861039.5","request_line":"GET \/version.xml?1721949861039.5 HTTP\/1.1","hostname":"app.battleofballs.com","http_request_header":"X-Forwarded-For: 182.104.87.195\nHost: app.battleofballs.com\ne085babc17b31f9e2b2b7e8362e56bbc: tag\nConnection: keep-alive\nAccept: *\/*\nTencent-Acceleration-Domain-Name: app.battleofballs.com\nX-NWS-LOG-UUID: 7217355891403792119\nX-Unity-Version: 2022.3.10f1\nContent-Length: 0\n5c9fd75ed32336eadbd99d570b4dde97: tag\nX-Forwarded-Proto: http\nAccept-Language: zh-CN,zh-Hans;q=0.9\nAccept-Encoding: gzip, deflate\nUser-Agent: balls\/19.2.5 CFNetwork\/1496.0.7 Darwin\/23.5.0\nX-Tencent-Ua: Qcloud\n564ede548e12574429a8e0621b1380b0: tag\n"},"tx_id":2,"flow_id":"418793524803631"}

So there are several questions above,

Under what circumstances will the pcap be out of order
How does suricata deal with out-of-order pcap, is the current problem a bug
How can I solve it

710425820 · July 27, 2024, 7:11am

In the keep-live mode, the response body and request body of the same session are confused. Can anyone help me solve this problem?

Andreas_Herz · August 7, 2024, 7:44pm

How did you do the replay?

What signature did you use, so we could reproduce it?

710425820 · August 8, 2024, 5:54am

alert http any any -> $HOME_NET any (msg:"git敏感文件探测"; flow:established,to_server; http.uri; pcre: "/git/i"; metadata:attack_result 1;  flowbits:set,session.sensitive_file_special; lua:sensitive_file.lua; sid: 1; gid: 212669;)

local helper = require("common/helper")
local logger = require("common/logger")
local cjson = require("cjson")
luaunit = require("luaunit")

-- 当前模块名称
moduleName = "check.sensitive_file"

-- 加载字典库
sensitive_file_keywords = helper.loadFile("sensitive_file_keywords.json")

-- 规则过滤
local sensitiveFileFilterMap = {
    [212669] = "git", -- 对应 sensitive_file_keywords.json中的key
    [214582] = "svn",
}

function errorHandler(err)
    logger.writeLog(moduleName, logger.LogLevel.ERROR, err)
end

function init_data()
    sensitive_file_keywords = cjson.decode(sensitive_file_keywords)
    for k, item in pairs(sensitive_file_keywords) do
        item = helper.convertListToLowercase(item)
    end
end

local ret, _ = xpcall(init_data, errorHandler)
if not ret then
    logger.writeLog(moduleName, logger.LogLevel.ERROR, moduleName .. "初始化失败")
    return 0
end


-- 获取url base路径
function getBaseUrl(http_uri)
    local questionMarkIndex = http_uri:find("?")
    if questionMarkIndex then
        return http_uri:sub(1, questionMarkIndex - 1)
    end
    return http_uri
end

function functionToBeExecuted (http_uri, gid)
    http_uri = string.lower(tostring(http_uri))
    baseUrl = getBaseUrl(http_uri)
    -- 专项检测 使用base url进行识别
    if helper.mapExistKey(sensitiveFileFilterMap, gid) then
        if helper.mapExistKey(sensitive_file_keywords, sensitiveFileFilterMap[gid]) then
            for _, keyword in ipairs(sensitive_file_keywords[sensitiveFileFilterMap[gid]]) do
                if string.find(baseUrl, keyword, 1, true) then  -- 避免正则匹配
                    return 1
                end
            end
        end
    end
    -- other 进行路径包含匹配， 因为涉及到系统敏感文件，可能出现变量拼装的方式探测，则会出现在url params中
    for _, keyword in ipairs(sensitive_file_keywords["other"]) do
        if string.find(baseUrl, keyword, 1, true) then
            return 1
        end
    end
    -- 后缀匹配
    for _, keyword in ipairs(sensitive_file_keywords["blackSuffix"]) do
        if string.find(baseUrl, "download", 1, true) then  -- 避免正则匹配, download认为是允许下载
            return 0
        end
        -- 后缀匹配上 同时 不是业务下载目录进行告警
        if baseUrl:sub(-#keyword) == keyword then
            return 1
        end
    end
    return 0
end

function init (args)
    local needs = {}
    needs["http.uri"] = tostring(true)
    if #sensitive_file_keywords["other"] > 0 or #sensitive_file_keywords["blackSuffix"] > 0 then
        helper.printInitCheckModuleLog(moduleName)
    else
        logger.writeLog(moduleName, logger.LogLevel.ERROR, moduleName .. "初始化失败，sensitive_file_keywords 为空")
    end
    return needs
end

function match(args)
    sid, rev, gid = SCRuleIds()
    local ret, result = xpcall(functionToBeExecuted, errorHandler, args["http.uri"], gid)
    if ret then
        return result
    end
    return 0
end

Playback using tcpreplay

Topic		Replies	Views
Suricata 5.0.2 Parsing http exception Help aws	23	3355	April 7, 2020
Suricata can't output response when meet a tcp retransmission after a response Help suricata	5	280	February 28, 2024
Lots of /libhttp::request_uri_not_seen Help suricata	4	30	August 30, 2024
Suricata http traffic parse exception in mirror traffic Help	5	885	January 25, 2022
Suricata parse http error, lots of /libhtp::request_uri_not_seen and http request info lose Help suricata	3	505	August 31, 2023

In the case of HTTP keep-live, the response information is wrong

Related Topics