Dear,
I hope can get both HTTP request & respnse header when HTTP alert was triggered.
When I tried some pcap, there is no HTTP response header in Alert info when my rule matched HTTP request header sometimes. Seems not received response header when alert generated according below log.
My questions:
1, Can I resolve this problem through configuration file?
2, If (1) can’t , how can change code to meet this requirement?
My compile cmd:
./configure --enable-unix-socket --enable-rust=yes --enable-dpdk (ignore the path setting)
make && make install
pcap and configuration were uploaded.
suricata version: 7.0.1
run command:
./suricata -D -v --dpdk -c suricataV2.yaml
Thanks in advance!
sid3232032.pcap (292.8 KB)
suricataV2.yaml (83.2 KB)
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Notice: output-json-alert: Peter: Enter AlertJson p->alerts.cnt = 5
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpAddMetadata tx = 0x7f5f8c4344f0, tx_id = 0 store_tx_id = 0
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpLogJSONHeaderBase64 htud->request_headers_raw_len:853
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpLogJSONHeaderBase64 htud->response_headers_raw_len:0
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpAddMetadata tx = 0x7f5f8c4344f0, tx_id = 0 store_tx_id = 0
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpLogJSONHeaderBase64 htud->request_headers_raw_len:853
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpLogJSONHeaderBase64 htud->response_headers_raw_len:0
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpAddMetadata tx = 0x7f5f8c4344f0, tx_id = 0 store_tx_id = 0
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpLogJSONHeaderBase64 htud->request_headers_raw_len:853
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpLogJSONHeaderBase64 htud->response_headers_raw_len:0
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpAddMetadata tx = 0x7f5f8c4344f0, tx_id = 0 store_tx_id = 0
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpLogJSONHeaderBase64 htud->request_headers_raw_len:853
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpLogJSONHeaderBase64 htud->response_headers_raw_len:0
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpAddMetadata tx = 0x7f5f8c4344f0, tx_id = 0 store_tx_id = 0
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpLogJSONHeaderBase64 htud->request_headers_raw_len:853
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: output-json-http: Peter: EveHttpLogJSONHeaderBase64 htud->response_headers_raw_len:0
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: app-layer-htp: HTPCallbackRequestComplete Enter
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: app-layer-htp: HTPCallbackRequestComplete transaction_cnt 0, list_size 1, hstate->curr_tx_id 0
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: app-layer-htp: HTPCallbackRequestComplete HTTP request completed
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: app-layer-htp: Peter: exit HTPCallbackResponseHeaderData… response_headers_raw_len = 257
[509739 - W#04-07:00.1] 2023-09-26 14:13:35 Info: app-layer-htp: Peter: exit HTPCallbackResponseHeaderData… response_headers_raw_len = 259