[Oisf-devel] What is Suricata 1.4.1's intended behavior for handling the storing of payload data of multi-packet http requests in unified2 files?

Kevin Branch kevin at branchnetconsulting.com
Fri May 10 15:16:08 UTC 2013

This is related to the bug I just submitted ("Alerts on http traffic 
storing the wrong packet as the IDS event payload")

What I am observing is that when an HTTP request is split across 
multiple packets, that Suricata events triggering on content in the HTTP 
request store the payload from only one of the packets that make up the 
HTTP request, frequently the packet that did not trigger the rule.

My question here is:  What is Suricata supposed to do with the payload 
from multi-packet HTTP requests?  When such a request triggers a rule, 
is Suricata supposed store the whole request payload or just the packet 
with the offending content?  Combining the packets seem the more 
attractive to me.


More information about the Oisf-devel mailing list