Please include the following information with your help request:
- Suricata version
- Operating system and/or Linux distribution
- How you installed Suricata (from source, packages, something else)
1.build suricata with pfring
2.run suricata with default config except pfring:
pfring: - interface: enp132s0f0 threads: 32 cluster-id: 99 cluster-type: cluster_flow bypass: yes checksum-checks: no
3.edit one rule:
alert http any any -> any any ( msg:".svn info leak"; http.method; content:"GET"; flow:to_server,established; flowbits:set,svn_entries_information_leak; http.uri; content:"|2e|svn|2f|entries"; nocase; classtype: information-leakage; sid:1; rev:1;)
4.run suricata -c /path/to/config.yaml --pfring=enp132s0f0 -S /path/to/rule
5.replay the pcap(see attachment) to enp132s0f0, or open pcap file by suricata with -r args.
then i’ll got a alert without http response header.
Seems like that the retransmission packet trigger the prefilter engine but did not trigger AppLayerHandleTCPData cuz suricata treats this packet as a gap?
Once i drop the retransmisson packet and replay it to suricata,suricata will output both request and response header.