[Oisf-users] How to enable suricata to log bi-directional packets of a flow/session to unified2 file if the first packet of the flow/session fires a rule?

[Maxim]

Hi all,
I use suricata 3.2.0, and have enabled tagged-packets and flow feature in suricata.yaml. I intend to capture the bi-directional packets of a flow/session if the first packet of that flow/session fires a rule, so I wrote the following rule


               alert tcp any any -> any 80 ( msg:"test"; sid:1000000; content:"abc"; http_uri; flowbits: isnotset, foo; flowbits: set,foo; tag:session; rev:1;)


then I used postman to send a http request to my target machine with string abc in its URL part, the request did fire this rule, and I could see the request details in my unified2 log file, I used u2spefoo to view the unified2 file, and I could see printable HTTP request, it's something like "GET /?abc.......", but I could not find the HTTP response message in printable format. I don't know why. flowbits and tag don't work here? Am I missing anything? Many thanks.


Regards
Hittlle

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170205/b428f231/attachment.html>