There is no HTTP response header in alert sometimes

sbhardwaj · October 3, 2023, 10:56am

Hi @peter_liu !
Welcome to our forum!

When I tried some pcap, there is no HTTP response header in Alert info when my rule matched HTTP request header sometimes

This happens because the alert is processed right when a match is made and the response may have not been parsed yet.
In order to get the corresponding response info, you can either:

correlate the flow_id of the alert and the http event to get the response info from the http event.
set flowbits on the transaction such that the alert only happens when the response is also seen. See 8.11. Flow Keywords — Suricata 8.0.0-dev documentation

Topic		Replies	Views
Alert triggered but nothing in the pcap Rules rules , suricata	2	342	September 19, 2022
Alert based on custom http header with suricata rule Rules aws-network-firewall	3	751	June 26, 2023
Missing Alert - http.request body (alone) and http.request_body/url_decode in a single rule Rules	2	817	January 4, 2021
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	741	June 8, 2023
How to log alert into a pcap Help	4	746	July 18, 2023

There is no HTTP response header in alert sometimes

Related Topics