Added by Victor Julien over 8 years ago. Updated about 6 years ago.
Description
Currently the parser requires traffic from both sides to be useful/effective.
Jeffrey has created an http parser that we should evaluate for use. Should include http2?
Currently the parser requires traffic from both sides to be useful/effective.
How so ?
From my experience of the code, it is "effective" as it should match signature with http keywords
I did not test it yet but I would like what is expected first.
Not sure if this is still true. Some updates were made to libhtp and suricata to allow for this. I think it's a good idea to create some test cases (suricata-verify) for both all request and all response traffic. I'm especially curious how multi-tx sessions work.
Philippe, can you make some SV tests for this? TS only, TC only. Checking logging, file extraction, signature matching?