Support #5463
openWhen capturing http traffic, the entire subsequent stream is lost
Description
Hi team,
When I tried to capture http traffic, I found a serious traffic loss problem. After repeated testing, I think there may be a bug in traffic reorganization, which will cause subsequent traffic to be discarded.
Purpose: Capture the entire stream of http, including requests and responses, as well as the body of the response
Measure:
Eve JSON Output
(1) Create a rule to match http traffic and trigger an event
(2) Open the following configuration to record the http body
types:
- alert:
#payload: yes
payload-buffer-size: 8192kb
payload-printable: yes
#packet: yes
metadata: yes
#http-body: yes
http-body-printable: yes
Lua Output
Create lua output script to capture http traffic
Issues:
Both methods of http traffic capture work fine in some cases (about 50% of cases)
Both methods of http traffic capture have the same stream loss problem, even in the case of non-high traffic, such as downloading an 800k file, the entire stream only captures the first request packet, and the subsequent packets are lost
Use tcpdump for further testing. It is found that tcpdump can capture the complete stream, while suricata only captures the first request
From the analysis of the troubleshooting process, the phenomenon is close to that suricata fails to correctly identify the subsequent packets as http traffic in the same stream, so they are discarded
Asking for help here, thanks.
Updated by Victor Julien over 1 year ago
- Tracker changed from Bug to Support
- Assignee deleted (
OISF Dev) - Priority changed from High to Normal
- Target version deleted (
6.0.7) - Effort deleted (
high) - Difficulty deleted (
high)
Can you expand more on how to reproduce? Esp what the lua script does? My immediate thought is that if the script takes too much time, which is not hard to do in a script, it may lead to massive packet loss.
Updated by Philippe Antoine 11 months ago
- Status changed from New to Feedback
- Assignee set to TT Yang