No payload for http alert data.
The http_* keywords use the http state which is working on top of the stream engine.
It currently works on ACK'd data, so the packet that contained the actual data is not the one triggering the alert, as the ACK comes in through a later packet.
There should probably be crafted a payload for the alerts though...
Updated by Victor Julien over 10 years ago
- Status changed from New to Assigned
- % Done changed from 0 to 50
In current git the first part of the solution is available: it logs the reassembled payload to alert-debuglog and unified2 if the signature matched on the reassembled stream. The app layer state, such as http, is still a todo.
Updated by Victor Julien about 10 years ago
- Status changed from Assigned to Closed
Closed with the following notes:
1. prelude is still a todo (#355)
2. unified1 won't get updated as it's scheduled for removal (#353)
3. packets are logged from the stream engine segment list: this are already corrected for overlaps and retransmissions so they may not fully reflect the actual packet on the wire
4. in addition to 3, the packets in the segment list have payload only, so a fake minimal ip4/ip6 and tcp header is logged