Suricata cannot audit the http protocol of mirrored data

Hi guys,

I recently encountered a problem, I used netis-packet-agent, mirrored the traffic from a web server to a server with suricata installed, and then did a rule trigger test, but found that the alert event triggered, but the The audit log of http was not generated.

So I did the same method on the suricata server (itself) and the http and security alert logs were generated, not sure why this is the result so far, would appreciate any help, thanks!

Also

  1. netis’s packet-agent tool is to encapsulate data as GRE for transmission
  2. suricata is the default configuration, the version is the latest 6.0

Test content

curl http://testmynids.org/uid/index.html
alert ip any any -> any any (msg: "GPL ATTACK_RESPONSE id check returned root"; content: "uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

How do you run Suricata exactly and did you change anything in the config?
Especially the packet capture part would be interesting to see.