Not sure if this necessary belongs in “Developers” or more in the general help, but I’m asking in the context of fixing tests due to a change I’ve made so trying here first.
I’m wondering about the expectations of one of the tests (below).
I see there’s code in Suricata to correct the direction of a flow which Suricata only sees one side of (in this test case, it sees only server->client), so the fact that it notes that the dest port is 80 in the http record is showing this code working.
But why does the alert say the source port is 80?
% cat test.yaml
requires:
features:
- HAVE_LIBJANSSON
min-version: 5.0.0
args:
- --set stream.midstream=true
- --set stream.async-oneside=true
checks:
# Check that we only have one alert event type in eve.
- filter:
count: 1
match:
event_type: alert
src_port: 80
- filter:
count: 1
match:
event_type: http
dest_port: 80