<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>
<div>I upgraded to 3.2.1 but I still have the same issue. </div>
<div> </div>
<div>> /opt/suricata/bin/suricata -V<br/>
This is Suricata version 3.2.1 RELEASE</div>
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Sent:</b> Wednesday, March 29, 2017 at 12:43 PM<br/>
<b>From:</b> "Victor Julien" <lists@inliniac.net><br/>
<b>To:</b> oisf-users@lists.openinfosecfoundation.org<br/>
<b>Subject:</b> Re: [Oisf-users] HTTP Parsing on partial PCAP</div>
<div name="quoted-content">On 29-03-17 18:55, secres@linuxmail.org wrote:<br/>
> Today I was trying to create a rule to detect some HTTP activity using a<br/>
> PCAP. I've done this without issue before but anytime I tried to use<br/>
> HTTP_URI, or any HTTP_ buffer the signature would fail. I also create a<br/>
> quick luajit script to print out the payload and it would contain the<br/>
> entire URI, HEADERS and BODY. If I used http.request_body it wouldn't<br/>
> contain anything. The only thing different from this pcap to some of<br/>
> the others I've used is that it's a partial pcap in that it doesn't<br/>
> contain the 3-way handshake to the server. Is there a command line<br/>
> option or config change to ignore the 3-way handshake and parse<br/>
> everything into the proper buffers or is there another issue?<br/>
<br/>
--set stream.midstream=true<br/>
<br/>
>> /opt/suricata/bin/suricata -V<br/>
> This is Suricata version 3.2beta1 RELEASE<br/>
<br/>
Please upgrade to 3.2.1.<br/>
<br/>
Cheers,<br/>
Victor<br/>
<br/>
<br/>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Spark v1.1";<br/>
> content:"loading.php"; http_uri; content:"Spark v1.1"; http_header;<br/>
> luajit:myscript.lua; sid:11223344; rev:1;)<br/>
><br/>
> myscript.lua<br/>
> function init (args)<br/>
> local needs = {}<br/>
> needs["payload"] = tostring(true)<br/>
> return needs<br/>
> end<br/>
> function match(args)<br/>
> a = tostring(args["payload"])<br/>
> if #a > 0 then<br/>
> if a:find("Spark v1.1") then<br/>
> print(a)<br/>
> return 1<br/>
> end<br/>
> end<br/>
> return 0<br/>
> end<br/>
> return 0<br/>
><br/>
><br/>
> _______________________________________________<br/>
> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br/>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br/>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br/>
><br/>
<br/>
<br/>
--<br/>
---------------------------------------------<br/>
Victor Julien<br/>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br/>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br/>
---------------------------------------------<br/>
<br/>
_______________________________________________<br/>
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br/>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br/>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></div>
</div>
</div>
</div></div></body></html>