Some match bypass?

Dear Doctor:
i had a problem in rule matching.
my rule is
alert http any any → any any (msg:“test”; flow:to_client; http.stat_code; content:“200”; sid:1111111;)

my suricata version 6.0.1 RELEASE
my suricata.yaml :
stream:
midstream: yes
memcap: 64mb
checksum-validation: no
inline: auto
reassembly:
memcap: 256mb
depth: 1mb
toserver-chunk-size: 1024
toclient-chunk-size: 1024
randomize-chunk-size: yes

my command:
suricata -r ./landray.pcap -v -c ./suricata.yaml

it doesn’t mactch …
landray.pcap (379.6 KB)

Looking forward to hearing from you

Hi leezp,

I could be wrong, but I don’t think there’s an issue with your rule. Rather, it seems to be something with that pcap. I have tried running your rule against that pcap and against live traffic, and I do get alerts from Suricata when it’s inspecting live traffic, but no alerts or even http event types show up in my logs when I run Suricata to inspect that provided pcap.

Unfortunately, my knowledge is limited, still, so I can’t explain why doesn’t that pcap generate alerts. I would just recommend you to test your rule against other pcap, or with live traffic. If you do, please share the resulting output log from eve.json or fast.log! :slight_smile:

Best regards,
Juliana

Hi,

I tried looking at some of the http streams and I cannot see the SYN packets for most of them. Looks like the pcap has http coming over long running, reused, TCP sessions.
I would assume that midstream: yes would pick it up but seems like that is not the case.

Are you testing on live traffic or packet capture?
Is the traffic sent from some other TLS inspection box for instance that might mangle it a bit?

There are some streams with SYN packets (for instance tcp.stream eq 74 in wireshark), but the first packets in the stream do not look like http at all.

You might also need to change the http port variables since non-standard ones are in use in the pcap.

who can debug with my pcap and config file,i want to know where and why the problem will happen?

i tried live mode.
my command is ‘suricata -i eth0 -v -c /etc/suricata/suricata.yaml -k none -l ./log’

‘tcpreplay -i eth0 -M 100 landray.pcap’
my rule is
alert http any any → any any (msg:“test”; flow:to_client; http.stat_code; content:“200”; sid:1111111;)
but there is no alert.
eve.json (24.5 KB)

It looks like Suricata isn’t identifying these packets as HTTP. In one flow that I looked at with an HTTP response, there is some data before the start of the HTTP request which could be causing this. Is there any not-normal about your configuration, or the traffic you are monitoring that you may be aware of?