[Oisf-users] HTTP Parsing on partial PCAP
Peter Manev
petermanev at gmail.com
Tue Apr 11 07:27:46 UTC 2017
On Wed, Apr 5, 2017 at 5:52 PM, <secres at linuxmail.org> wrote:
> Yes, I tried it command line as well as in the conf file.
>
What is your run command to do the test? you can try passing "-k none"
see if it makes any diff if you are reading ("-r") in the pcap.
> Sent: Saturday, April 01, 2017 at 1:36 PM
> From: "Andreas Herz" <andi at geekosphere.org>
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] HTTP Parsing on partial PCAP
> On 29/03/17 at 22:03, secres at linuxmail.org wrote:
>>
>> I upgraded to 3.2.1 but I still have the same issue.
>
> Did you try this setting as Victor did suggest?
>
> --set stream.midstream=true
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list