Bug #5165
openhttp: request not logged when response comes before request
Description
Hi,
In a tcp session, if request is seen after the response, Suricata (atleast the logging part) doesnt consider the request. We only get response log.
In the attached pcap,
1. Packets 1-2-3 establish session
2. Response packet 4
3. Request at 6
4. TCP session close at 8-9-10
Suricata logging doesnt include request and we see the below logs.
{"timestamp":"2022-02-28T03:46:25.436228+0000","flow_id":1097925804505446,"in_iface":"wlp2s0b1","event_type":"http","src_ip":"192.168.0.105","src_port":55758,"dest_ip":"192.168.0.114","dest_port":8090,"proto":"6","tx_id":0,"http":{"http_port":0,"url":"/libhtp::request_uri_not_seen","http_content_type":"application/json","status":200,"length":0,"request_headers":[],"response_headers":[{"name":"Content-Type","value":"application/json; charset=utf-8"},{"name":"Date","value":"Mon, 28 Feb 2022 03:10:38 GMT"},{"name":"Content-Length","value":"0"}]}}
Have tried with no change in behavior,
1. midstream = true
2. async-oneside = true
Is there any other config to consider or is this genuine bug/limitation?
Regards
Files
Updated by Victor Julien almost 3 years ago
- Subject changed from Reordered request and response to http: request not logged when response comes before request
- Target version set to 7.0.0-beta1
If the traffic is like this on the wire (or in the pcap) Suricata will not attempt to reorder it, and I don't think it should. It should inspect/log the traffic as it is.
What does surprise me with this pcap is that the request is not logged at all. That seems a bug to me.
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1