<div dir="ltr"><div>For your first concern about the pcap only having the single packet vs the stream do you have the stream.midstream option set to true in your config?</div><div><br></div><div><a href="https://suricata.readthedocs.io/en/suricata-4.1.5/configuration/suricata-yaml.html#stream-engine">https://suricata.readthedocs.io/en/suricata-4.1.5/configuration/suricata-yaml.html#stream-engine</a><br></div><div><br></div><div dir="ltr"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;white-space:nowrap">-- </span></div><div dir="ltr"><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;font-weight:bold;white-space:nowrap">Eric Urban</span><br></div><div dir="ltr"><span style="color:rgb(0,0,0);font-family:'Helvetica Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">University Information Security | Office of Information Technology | </span><a href="http://it.umn.edu/" style="color:rgb(17,85,204);font-family:'Helvetica Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap" target="_blank">it.umn.edu</a><br style="color:rgb(0,0,0);font-family:'Helvetica Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"><span style="color:rgb(0,0,0);font-family:'Helvetica Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">University of Minnesota | </span><a href="http://umn.edu/" style="color:rgb(17,85,204);font-family:'Helvetica Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap" target="_blank">umn.edu</a><br style="color:rgb(0,0,0);font-family:'Helvetica Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"><a href="mailto:eurban@umn.edu" style="color:rgb(17,85,204);font-family:'Helvetica Neue',Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap" target="_blank">eurban@umn.edu</a><font style="color:rgb(136,136,136);font-size:12.8px" face="verdana, sans-serif"><br></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Nov 25, 2019 at 10:37 AM David Wharton <<a href="mailto:oisf@davidwharton.us">oisf@davidwharton.us</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF">
    <p>Can you share the pcaps and rules you are testing with?  I can
      make a pretty good guess as to what is going on but it'd be easier
      to explain with the pcaps.</p>
    <p>Thanks.<br>
    </p>
    <p>-David<br>
    </p>
    <div>On 11/24/19 7:08 PM, Lucas Augusto Mota
      de Alcantara wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="ltr">
        <div>Hello everyone,</div>
        <div><br>
        </div>
        <div>I'm running Suricata with a pcap file as input to test some
          rules at detecting a specific packet. The problem is that when
          the input pcap file has only the packet i'm interested in,
          Suricata doesn't alert anything, it only alerts when the input
          file has the whole tcp stream. I tried to include flow:
          stateless, flow: no_stream and some other flow option values
          to the rule, but it didn't change the result. What should i
          do?</div>
        <div><br>
        </div>
        <div>Another point is that even with the whole tcp stream,
          suricata only alerts when one specific content option in the
          rule has the http_uri modifier. <br>
        </div>
        <div><br>
        </div>
        <div>This is the rule that works with the whole tcp stream:<br>
          alert tcp any any -> any any (msg:"Testing rule 0";
          content: "GET "; content: "/cron.php?"; content:
          "include_path="; http_uri; content: "../"; sid:1099019;)</div>
        <div><br>
        </div>
        <div>If i remove the http_uri, it stops alerting. Why?<br>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
      <pre>_______________________________________________
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>

Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a>
Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/training/</a></pre>
    </blockquote>
  </div>

_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div></div>