Project

General

Profile

Actions

Bug #1946

closed

can't get response info in some situation

Added by wilson green almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

can't get http response in some situation.,and the http log show

 "status":"-","ResponseBytes":"0" 

the function HttpGetResponseLine(),HttpGetRawResponseHeaders(),HttpGetResponseBody() are get null.

The http request and response are:
GET /teamlog/worklog-data/showSharedPeople/ HTTP/1.1
Host: sn.xxxx.com:8080
Connection: keep-alive
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36
DNT: 1
Referer: http://sn.xxxx.com:8080/teamlog/worklog/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh,zh-CN;q=0.8,en-US;q=0.6,en;q=0.4,zh-TW;q=0.2,de;q=0.2
Cookie: JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e;

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Content-Language: zh-CN
Transfer-Encoding: chunked
Date: Wed, 09 Nov 2016 06:47:50 GMT

[{"shared":1,"id":2,"username":"......"},{"shared":1,"id":7,"username":"........."},{"shared":0,"id":1,"username":"admin"},{"shared":0,"id":3,"username":"......"},{"shared":0,"id":9,"username":"........."}]

All the http log :

{"timestamp":"11/08/16-19:56:20.432093","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"-","Cookie":"JSESSIONID=E9C3B12FCE7419C3507E308AFF27526A; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/","status":"302","ResponseBytes":"0","clientIP":"172.19.100.133","clientPort":55406,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/08/16-19:56:20.444820","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"-","Cookie":"JSESSIONID=53192C23E69C63D3C51B36E759C13DC1; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog","status":"302","ResponseBytes":"0","clientIP":"172.19.100.133","clientPort":55406,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/08/16-19:56:20.454456","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"-","Cookie":"JSESSIONID=53192C23E69C63D3C51B36E759C13DC1; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/","status":"302","ResponseBytes":"0","clientIP":"172.19.100.133","clientPort":55406,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/08/16-19:56:20.471967","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"-","Cookie":"JSESSIONID=53192C23E69C63D3C51B36E759C13DC1; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/login/%2Fworklog%2F","status":"200","ResponseBytes":"5121","clientIP":"172.19.100.133","clientPort":55406,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/08/16-19:56:29.663941","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/login/%2Fworklog%2F","Cookie":"JSESSIONID=53192C23E69C63D3C51B36E759C13DC1; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"POST","hostame":"sn.xxxx.com","URL":"/teamlog/login","status":"200","ResponseBytes":"5165","clientIP":"172.19.100.133","clientPort":55406,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/09/16-16:03:45.662537","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/templates/BrowseLogItemView.jsp","status":"200","ResponseBytes":"1128","clientIP":"172.19.100.133","clientPort":54516,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/09/16-16:03:45.559272","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/res/imgs/default-avatar.png?t=539","status":"200","ResponseBytes":"4001","clientIP":"172.19.100.133","clientPort":54515,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/09/16-16:03:45.664139","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/templates/BrowseLogCommentView.jsp","status":"200","ResponseBytes":"570","clientIP":"172.19.100.133","clientPort":54517,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/09/16-16:03:45.666645","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/templates/EditLogPeopleView.jsp","status":"200","ResponseBytes":"867","clientIP":"172.19.100.133","clientPort":54519,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/09/16-16:03:45.654500","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/templates/BrowseLogHeaderView.jsp","status":"200","ResponseBytes":"1024","clientIP":"172.19.100.133","clientPort":54515,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/09/16-16:03:45.664082","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/templates/BrowseLogPostCommentView.jsp","status":"-","ResponseBytes":"0","clientIP":"172.19.100.133","clientPort":54515,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/09/16-16:03:45.956380","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog-data/getTags/","status":"200","ResponseBytes":"247","clientIP":"172.19.100.133","clientPort":54519,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/09/16-16:03:45.666677","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/templates/EditLogView.jsp","status":"200","ResponseBytes":"1280","clientIP":"172.19.100.133","clientPort":54518,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/09/16-16:03:45.954246","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog-data/showSharedPeople/","status":"-","ResponseBytes":"0","clientIP":"172.19.100.133","clientPort":54515,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/09/16-16:03:45.964995","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog-data/showSharedPeople/","status":"-","ResponseBytes":"0","clientIP":"172.19.100.133","clientPort":54515,"serverIP":"172.17.106.190","serverPort":8080}
{"timestamp":"11/09/16-16:03:45.968752","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog-data/showWorkLogData?period=2016-11-06%2C2016-11-13&people=1","status":"200","ResponseBytes":"2674","clientIP":"172.19.100.133","clientPort":54518,"serverIP":"172.17.106.190","serverPort":8080}

the pcap is in [词典] attachment


Files

qq.com.pcap (57.4 KB) qq.com.pcap wilson green, 11/09/2016 03:03 AM
suricata.3.1.3 online.yaml (68.6 KB) suricata.3.1.3 online.yaml all the cofig wilson green, 11/10/2016 08:58 PM
suricata.yaml (62.5 KB) suricata.yaml The right config wilson green, 11/10/2016 09:10 PM
qq.com.54515-8080.pcap (13.9 KB) qq.com.54515-8080.pcap pcap with flow where logging fails in multi thread Paulo Pacheco, 12/04/2016 07:39 AM
1946.patch (879 Bytes) 1946.patch Paulo Pacheco, 12/04/2016 01:10 PM
Actions #1

Updated by Andreas Herz almost 5 years ago

  • Assignee set to Anonymous
  • Target version set to TBD

What version of suricata are you running and how are you running suricata?
Could you also attach the relevant parts of your suricata.yaml?

Actions #2

Updated by wilson green almost 5 years ago

The version of suricata is 3.1.3, and it also happend in 3.1.2

[root@localhost bin]# ./suricata --build-info
This is Suricata version 3.1.3 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-11), C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.23, linked against LibHTP v0.5.23

Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         yes
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         yes
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no
  Hyperscan support:                       no
  Libnet support:                          no

  Suricatasc install:                      yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /opt/suricata
  Configuration directory:                 /opt/suricata/etc/suricata/
  Log directory:                           /opt/suricata/var/log/suricata/

  --prefix                                 /opt/suricata
  --sysconfdir                             /opt/suricata/etc
  --localstatedir                          /opt/suricata/var

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / gcc (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -march=native
  PCAP_CFLAGS                               -I/usr/local/include
  SECCFLAGS

the http config is :

      libhtp:
         default-config:
           personality: IDS

           # Can be specified in kb, mb, gb.  Just a number indicates
           # it's in bytes.
           request-body-limit: 35mb
           response-body-limit: 512mb

           # inspection limits
           request-body-minimal-inspect-size: 35mb
           request-body-inspect-window: 35mb
           response-body-minimal-inspect-size: 35mb
           response-body-inspect-window: 512mb

           # response body decompression (0 disables)
           response-body-decompress-layer-limit: 3

           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
           http-body-inline: auto

           # Take a random value for inspection sizes around the specified value.
           # This lower the risk of some evasion technics but could lead
           # detection change between runs. It is set to 'yes' by default.
           #randomize-inspection-sizes: yes
           # If randomize-inspection-sizes is active, the value of various
           # inspection size will be choosen in the [1 - range%, 1 + range%]
           # range
           # Default value of randomize-inspection-range is 10.
           #randomize-inspection-range: 10

           # decoding
           double-decode-path: no
           double-decode-query: no

         server-config:

the

Actions #3

Updated by wilson green almost 5 years ago

sorry ,I give the wrong config.this is the right.
he version of suricata is 3.1.3, and it also happend in 3.1.2

wilson@Wilson ~$ suricata --build-info
This is Suricata version 3.1.3 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1), C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.23, linked against LibHTP v0.5.23

Suricata Configuration:
  AF_PACKET support:                       no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no
  DAG enabled:                             no
  Napatech enabled:                        no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no
  Hyperscan support:                       no
  Libnet support:                          yes

  Suricatasc install:                      yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr/local/Cellar/suricata/3.1.2
  Configuration directory:                 /usr/local/Cellar/suricata/3.1.2/etc/suricata/
  Log directory:                           /usr/local/Cellar/suricata/3.1.2/var/log/suricata/

  --prefix                                 /usr/local/Cellar/suricata/3.1.2
  --sysconfdir                             /usr/local/Cellar/suricata/3.1.2/etc
  --localstatedir                          /usr/local/Cellar/suricata/3.1.2/var

  Host:                                    x86_64-apple-darwin16.1.0
  Compiler:                                llvm-gcc (exec name) / clang (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -DOS_DARWIN -march=native
  PCAP_CFLAGS
  SECCFLAGS

the config is :

   http:
      enabled: yes
      # memcap: 64mb

      # default-config:           Used when no server-config matches
      #   personality:            List of personalities used by default
      #   request-body-limit:     Limit reassembly of request body for inspection
      #                           by http_client_body & pcre /P option.
      #   response-body-limit:    Limit reassembly of response body for inspection
      #                           by file_data, http_server_body & pcre /Q option.
      #   double-decode-path:     Double decode path section of the URI
      #   double-decode-query:    Double decode query section of the URI
      #   response-body-decompress-layer-limit:
      #                           Limit to how many layers of compression will be
      #                           decompressed. Defaults to 2.
      #
      # server-config:            List of server configurations to use if address matches
      #   address:                List of ip addresses or networks for this block
      #   personalitiy:           List of personalities used by this block
      #   request-body-limit:     Limit reassembly of request body for inspection
      #                           by http_client_body & pcre /P option.
      #   response-body-limit:    Limit reassembly of response body for inspection
      #                           by file_data, http_server_body & pcre /Q option.
      #   double-decode-path:     Double decode path section of the URI
      #   double-decode-query:    Double decode query section of the URI
      #
      #   uri-include-all:        Include all parts of the URI. By default the
      #                           'scheme', username/password, hostname and port
      #                           are excluded. Setting this option to true adds
      #                           all of them to the normalized uri as inspected
      #                           by http_uri, urilen, pcre with /U and the other
      #                           keywords that inspect the normalized uri.
      #                           Note that this does not affect http_raw_uri.
      #                           Also, note that including all was the default in
      #                           1.4 and 2.0beta1.
      #
      #   meta-field-limit:       Hard size limit for request and response size
      #                           limits. Applies to request line and headers,
      #                           response line and headers. Does not apply to
      #                           request or response bodies. Default is 18k.
      #                           If this limit is reached an event is raised.
      #
      # Currently Available Personalities:
      #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
      #   IIS_7_0, IIS_7_5, Apache_2
      libhtp:
         default-config:
           personality: IDS

           # Can be specified in kb, mb, gb.  Just a number indicates
           # it's in bytes.
           request-body-limit: 100mb
           response-body-limit: 100mb

           # inspection limits
           request-body-minimal-inspect-size: 32mb
           request-body-inspect-window: 4mb
           response-body-minimal-inspect-size: 40mb
           response-body-inspect-window: 16mb

           # response body decompression (0 disables)
           response-body-decompress-layer-limit: 2

           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
           http-body-inline: auto

           # Take a random value for inspection sizes around the specified value.
           # This lower the risk of some evasion technics but could lead
           # detection change between runs. It is set to 'yes' by default.
           #randomize-inspection-sizes: yes
           # If randomize-inspection-sizes is active, the value of various
           # inspection size will be choosen in the [1 - range%, 1 + range%]
           # range
           # Default value of randomize-inspection-range is 10.
           #randomize-inspection-range: 10

           # decoding
           double-decode-path: no
           double-decode-query: no

         server-config:

           #- apache:
           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
           #    personality: Apache_2
           #    # Can be specified in kb, mb, gb.  Just a number indicates
           #    # it's in bytes.
           #    request-body-limit: 4096
           #    response-body-limit: 4096
           #    double-decode-path: no
           #    double-decode-query: no

           #- iis7:
           #    address:
           #      - 192.168.0.0/24
           #      - 192.168.10.0/24
           #    personality: IIS_7_0
           #    # Can be specified in kb, mb, gb.  Just a number indicates
           #    # it's in bytes.
           #    request-body-limit: 4096
           #    response-body-limit: 4096
           #    double-decode-path: no
           #    double-decode-query: no
Actions #4

Updated by Paulo Pacheco almost 5 years ago

Tried this with --runmode single with good results.
The bug only happens when running with multiple threads.

Actions #5

Updated by wilson green almost 5 years ago

yeah,it's ok with --runmode single.thx

Actions #6

Updated by Paulo Pacheco almost 5 years ago

I've isolated the issue to a single TCP flow from the posted pcap.

It only fails in this flow:
172.019.100.133.54515-172.017.106.190.08080

Actions #7

Updated by Paulo Pacheco almost 5 years ago

Investigating more this issue,

I found out this happens at the shutdown sequence because of a premature call for FlowForceReassembly().

If we place a sleep(1) right after suricata.c main loop or postpone the FlowForceReassembly(), we will have the correct values available for output.

I've tested attached patch, with a basic lua output script from http://suricata.readthedocs.io/en/latest/output/lua-output.html?highlight=lua%20output, and I was able to get correct values.


--------- START -------------------------------------------------
Response Line: [HTTP/1.1 200 OK]
Response Headers: [Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Content-Language: zh-CN
Transfer-Encoding: chunked
Date: Wed, 09 Nov 2016 06:47:50 GMT

]
Response Body Size: [206]

11/09/2016-08:03:45.965109 sn.yeepay.com [**] /teamlog/worklog-data/showSharedPeople/ [**] Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36 [**] 172.19.100.133:54515 -> 172.17.106.190:8080
 -------- END   -------------------------------------------------

The way I did to calculate the response body size

function bodySize(T)
  local size = 0
  if not T then
    return 0
  end
  for key,value in pairs(T) do
        size = size + string.len(value)
  end
  return size
end

...

print ("Response Body Size: [" .. tostring(bodySize(HttpGetResponseBody())) .. "]");
Actions #8

Updated by Victor Julien almost 5 years ago

  • Status changed from New to Assigned
  • Assignee changed from Anonymous to Victor Julien

Paulo could you share your full test script + your commandline? Would like to reproduce this but having little luck so far. Thanks!

Actions #9

Updated by Paulo Pacheco over 4 years ago

Just run suricata -r qq.com.54515-8080.pcap ( pcap filtered from submitted pcap with flows that matters ) -c suricata.yaml ( The right config attached here )

If you run with --runmode single it works properly, otherwise, it fails to log to http.log the status":"-","ResponseBytes":"0",

Actions #10

Updated by Victor Julien over 4 years ago

  • Status changed from Assigned to Closed
  • Target version changed from TBD to 3.2.1

Addressed by: https://github.com/inliniac/suricata/pull/2518

Thanks wilson for the report, and thank Paolo for helping me get a test case.

Actions

Also available in: Atom PDF