[Oisf-devel] What is Suricata 1.4.1's intended behavior for handling the storing of payload data of multi-packet http requests in unified2 files?
Kevin Branch
kevin at branchnetconsulting.com
Fri May 10 15:16:08 UTC 2013
This is related to the bug I just submitted ("Alerts on http traffic
storing the wrong packet as the IDS event payload")
https://redmine.openinfosecfoundation.org/issues/810
What I am observing is that when an HTTP request is split across
multiple packets, that Suricata events triggering on content in the HTTP
request store the payload from only one of the packets that make up the
HTTP request, frequently the packet that did not trigger the rule.
My question here is: What is Suricata supposed to do with the payload
from multi-packet HTTP requests? When such a request triggers a rule,
is Suricata supposed store the whole request payload or just the packet
with the offending content? Combining the packets seem the more
attractive to me.
Kevin
More information about the Oisf-devel
mailing list