Support #2180
closedHTTP matching does partially not work for 3.2.2 and 4.0.0rc1 under CentOS 7
Description
Hi,
we use Suricata during a lecture to let the students work with an IDS. During this we discovered a bug in the HTTP detection logic.
Version 3.1 works fine, but both 3.2.2 and 4.0.0rc1 do not report alerts for any of the traffic we used in the lecture.
To test if this is a general problem with the http matching or related to our pcaps, I verified with the `http.cap` sample from wireshark (https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=http.cap). In this pcap I do see alerts for http rules.
I looked at the self-help flowchart (https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Self_Help_Diagrams) without any luck.
I also couldn't find any related bug reports, except maybe https://redmine.openinfosecfoundation.org/issues/1580, which contains no further information and is already quite old.
I uploaded all seemingly relevant files. The second rules is just to verify that Suricata is able to alert at all.
Files
Updated by Peter Manev almost 7 years ago
With the examples provided 3.2.2 alerts (for the http rule as well) like so -
suricata -v -r 2180.pcap.pcap -S 2180.rules -v -l log/ -k none --set "stream.midstream=true"
Updated by Anonymous almost 7 years ago
Thanks for the help. This works for us.
You can close the bugreport.
Updated by Victor Julien almost 7 years ago
- Tracker changed from Bug to Support
- Status changed from New to Closed