Hi @peter_liu !
Welcome to our forum!
When I tried some pcap, there is no HTTP response header in Alert info when my rule matched HTTP request header sometimes
This happens because the alert is processed right when a match is made and the response may have not been parsed yet.
In order to get the corresponding response info, you can either:
- correlate the flow_id of the alert and the http event to get the response info from the http event.
- set flowbits on the transaction such that the alert only happens when the response is also seen. See 8.11. Flow Keywords — Suricata 8.0.0-dev documentation