Hi, I am using Suricata to detect http traffic. I use 6.0.3 in ubuntu to detect the test pcap, but I found it can’t parse some http packets. In Wireshark , I can see my test pcap has many http pcap,
but in the Suricata output http.log there are only 5 records.
I don’t know why this happen. can anyone help me?
Here is my test.pcap
test.pcap (56.8 KB)
here is my Suricata.yaml
suricata.yaml (70.9 KB)
here is the rule:
alert http any any -> any any (msg:"test rule"; content:"POST"; http_method; content:"/cgi-bin/mainfunction.cgi";http_uri; content:"keyPath="; http_client_body; content:"action="; sid:456678; rev:2;)
It looks like some of these connections are “in progress” and your pcap doesn’t contain the connection establishment.
Try adding --set stream.midstream=true to your Suricata command line invocation and you’ll see http.log records for additional streams.