Bug #264
closedNo payload for http alert data.
Description
The http_* keywords use the http state which is working on top of the stream engine.
It currently works on ACK'd data, so the packet that contained the actual data is not the one triggering the alert, as the ACK comes in through a later packet.
There should probably be crafted a payload for the alerts though...
Updated by Victor Julien almost 14 years ago
- Assignee set to Victor Julien
- Target version set to 1.1beta2
Will be tasked to one of the OISF devs.
Updated by Victor Julien over 13 years ago
- Status changed from New to Assigned
- % Done changed from 0 to 50
In current git the first part of the solution is available: it logs the reassembled payload to alert-debuglog and unified2 if the signature matched on the reassembled stream. The app layer state, such as http, is still a todo.
Updated by Victor Julien over 13 years ago
- Target version changed from 1.1beta2 to 1.1beta3
App layer (such as http) state based alerts will be addressed in 1.1beta3.
Updated by Victor Julien about 13 years ago
- Assignee changed from Victor Julien to Eric Leblond
- Estimated time set to 12.00 h
Updated by Victor Julien about 13 years ago
- Due date set to 10/17/2011
- Priority changed from Normal to High
Updated by Victor Julien almost 13 years ago
- Status changed from Assigned to Closed
Closed with the following notes:
1. prelude is still a todo (#355)
2. unified1 won't get updated as it's scheduled for removal (#353)
3. packets are logged from the stream engine segment list: this are already corrected for overlaps and retransmissions so they may not fully reflect the actual packet on the wire
4. in addition to 3, the packets in the segment list have payload only, so a fake minimal ip4/ip6 and tcp header is logged