Hi team, I think I’ve found a bug, I tried to create an account on the bug tracker, but it didn’t work, so I’m posting the question here to ask for help.
Purpose: Capture the entire stream of http, including requests and responses, as well as the body of the response
Measure:
-
Eve JSON Output
(1) Create a rule to match http traffic and trigger an event
(2) Open the following configuration to record the http body
types:
- alert:
#payload: yes
payload-buffer-size: 8192kb
payload-printable: yes
#packet: yes
metadata: yes
#http-body: yes
http-body-printable: yes -
Lua Output
Create lua output script to capture http traffic
Issues:
- Both methods of http traffic capture work fine in some cases (about 50% of cases)
- Both methods of http traffic capture have the same stream loss problem, even in the case of non-high traffic, such as downloading an 800k file, the entire stream only captures the first request packet, and the subsequent packets are lost
- Use tcpdump for further testing. It is found that tcpdump can capture the complete stream, while suricata only captures the first request
- From the analysis of the troubleshooting process, the phenomenon is close to that suricata fails to correctly identify the subsequent packets as http traffic in the same stream, so they are discarded
Asking for help here, thanks.