Project

General

Profile

Actions

Bug #264

closed

No payload for http alert data.

Added by Edward Fjellskål about 13 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The http_* keywords use the http state which is working on top of the stream engine.
It currently works on ACK'd data, so the packet that contained the actual data is not the one triggering the alert, as the ACK comes in through a later packet.

There should probably be crafted a payload for the alerts though...

Actions #1

Updated by Victor Julien about 13 years ago

  • Assignee set to Victor Julien
  • Target version set to 1.1beta2

Will be tasked to one of the OISF devs.

Actions #2

Updated by Victor Julien almost 13 years ago

  • Status changed from New to Assigned
  • % Done changed from 0 to 50

In current git the first part of the solution is available: it logs the reassembled payload to alert-debuglog and unified2 if the signature matched on the reassembled stream. The app layer state, such as http, is still a todo.

Actions #3

Updated by Victor Julien almost 13 years ago

  • Target version changed from 1.1beta2 to 1.1beta3

App layer (such as http) state based alerts will be addressed in 1.1beta3.

Actions #4

Updated by Victor Julien over 12 years ago

  • Assignee changed from Victor Julien to Eric Leblond
  • Estimated time set to 12.00 h
Actions #5

Updated by Victor Julien over 12 years ago

  • Due date set to 10/17/2011
  • Priority changed from Normal to High
Actions #6

Updated by Victor Julien over 12 years ago

  • Status changed from Assigned to Closed

Closed with the following notes:

1. prelude is still a todo (#355)
2. unified1 won't get updated as it's scheduled for removal (#353)
3. packets are logged from the stream engine segment list: this are already corrected for overlaps and retransmissions so they may not fully reflect the actual packet on the wire
4. in addition to 3, the packets in the segment list have payload only, so a fake minimal ip4/ip6 and tcp header is logged

Actions

Also available in: Atom PDF