Please include the following information with your help request:
- Suricata version
7.0.0- Operating system and/or Linux distribution
ubuntu 20.04- How you installed Suricata (from source, packages, something else)
source
repro step:
1.build suricata with pfring
2.run suricata with default config except pfring:
pfring:
- interface: enp132s0f0
threads: 32
cluster-id: 99
cluster-type: cluster_flow
bypass: yes
checksum-checks: no
3.edit one rule:
alert http any any -> any any ( msg:".svn info leak"; http.method; content:"GET"; flow:to_server,established; flowbits:set,svn_entries_information_leak; http.uri; content:"|2e|svn|2f|entries"; nocase; classtype: information-leakage; sid:1; rev:1;)
4.run suricata -c /path/to/config.yaml --pfring=enp132s0f0 -S /path/to/rule
5.replay the pcap(see attachment) to enp132s0f0, or open pcap file by suricata with -r args.
then i’ll got a alert without http response header.
Seems like that the retransmission packet trigger the prefilter engine but did not trigger AppLayerHandleTCPData cuz suricata treats this packet as a gap?
Once i drop the retransmisson packet and replay it to suricata,suricata will output both request and response header.
