Hi,
could you provide us with a bit more context?
Thanks in advance! 
my rule:
alert tcp any any → any any (msg:“test eve.json”; flow:established,to_server; content:“PASS”; flowbits:set,test; noalert; sid:6000007;)
alert tcp any any → any any (msg:“test eve.json”; flow:established,to_client; content:“230”; flowbits:isset,test; sid:6000006;)
my suricata.yaml:
payload-printable: yes
http-body-printable: yes
suricata.yaml (69.2 KB)
ftp.pcap (3.0 KB)
my eve.json
{“timestamp”:“2020-10-09T15:48:21.521397+0800”,“flow_id”:181346770127416,“event_type”:“alert”,“src_ip”:“192.168.255.156”,“src_port”:21,“dest_ip”:“192.168.255.5”,“dest_port”:22463,“proto”:“TCP”,“metadata”:{“flowbits”:[“ftp_login”]},“alert”:{“action”:“allowed”,“gid”:1,“signature_id”:6000006,“rev”:0,“signature”:“ftp login success”,“category”:"",“severity”:3},“app_proto”:“ftp”,“app_proto_tc”:“failed”,“flow”:{“pkts_toserver”:7,“pkts_toclient”:4,“bytes_toserver”:416,“bytes_toclient”:311,“start”:“2020-10-09T15:48:32.494136+0800”},“payload”:“MjIwIE1pY3Jvc29mdCBGVFAgU2VydmljZQ0KMzMxIFBhc3N3b3JkIHJlcXVpcmVkIGZvciBsZWUtUEMuDQoyMzAgVXNlciBsb2dnZWQgaW4uDQo=”,“payload_printable”:“220 Microsoft FTP Service\r\n331 Password required for lee-PC.\r\n230 User logged in.\r\n”,“stream”:1,“pcap_filename”:"./ftp_login_fail_success.pcap"}
Hi,
thanks for the data!
It seems that your first rule wasn’t generating alerts due to the keyword noalert that you used (check 6.38. Differences From Snort — Suricata 7.0.0-dev documentation).
By removing that keyword from your rule, I was able to get alerts for both request and response. (Check attached json). Was that what you wanted?
Updated rule:
alert tcp any any -> any any (msg:"test eve.json"; flow:established,to_server; content:"PASS"; flowbits:set,test; sid:6000007;)
eve-lzp.json (5.3 KB)
i want to get both request and response from a stream in one alert (eve.json).
alert tcp any any → any any (msg:“test eve.json”; flow:established,to_server; content:“PASS”; flowbits:set,test; noalert; sid:6000007;)
alert tcp any any → any any (msg:“test eve.json”; flow:established,to_client; content:“230”; flowbits:isset,test; sid:6000006;)
i wan to get an alert from sid:6000006;
Two rules will result in two alerts.
The alert will contain the payload of the packet triggering the rule if the correct yaml configuration is given.
I am not sure if you can get an alert to contain the payload from both sides of a stream.
You could have a look at the tag: keyword, usage should be similar to snort 3.7 Post-Detection Rule Options. Note that I have not used it myself.
Adding to what syoc answered: in most cases, it is not possible to log request and response in the alert triggered by the response. Some specific app-layer protocol may have that implemented, but then you’d likely see that configuration option in the yaml file.
Depending on what your goal is, you can use the flow_id the get the bigger picture and follow traffic associated with a specific alert.
To finish, you could create a feature request ticket on redmine, as that helps us know what our users want/need to make their lives easier. Issues - Suricata - Open Information Security Foundation
what’s the meaning of “toserver_chunk_size” ? can you give me a detail example in rule matching ? thanks
Hey leezp!
Would you mind creating a new thread in the forum, since you’re asking something completely different? That makes it easier for us and for others to know there’s a new question, and what the main topic is
Thanks a lot for making use of our forum, and for helping improve it!