[Oisf-users] question about alerts-debug schema

Andreas Herz andi at geekosphere.org
Sat May 28 22:37:42 UTC 2016

On 23/05/16 at 17:29, Emanuel Alves wrote:
> Hi everyone,
> I have a question about the information dumped into alerts-debug.
> I'm testing the Suricata with a HTTP rule within a Network with GRE tunnels
> and sometimes I see the fields Payload, Payload len, Stream data, and
> Stream data len within the same alert.

Do you have that rule and a pcap so we can reproduce that?

> Is this a normal and expected behaviour?

Never seen it but I also never used GRE :)

> Thanks
> Emanuel

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

Andreas Herz

More information about the Oisf-users mailing list