Support #1890
Updated by Victor Julien over 7 years ago
The Suricata doesn't intercept HTTP-traffic with size of content > 773 bytes, also doesn't log it and doaes't work any rules for it. Samle of request wich Suricata "sees": <pre> POST /site/index.php/admin/pages/update/ HTTP/1.1 Host: test.test User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Accept: **/** Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://test.test/site/index.php/admin/pages/add/0/ Cookie: bigtree_admin[email]=test%40test; bigtree_admin[login]=%5B%22session-57d952c595a234.11790882%22%2C%22chain-57d922277a2ab9.37400245%22%5D; PHPSESSID=advu78fpbhdlj8njh8dsiq80p4; hide_bigtree_bar=; bigtree_admin%5Bpage_properties_open%5D=on Content-Type: multipart/form-data; boundary=b788b047b8e345b792cdc1f81fef2106 Content-Length: *773* Connection: close Cache-Control: max-age=0 --b788b047b8e345b792cdc1f81fef2106 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 --b788b047b8e345b792cdc1f81fef2106-- <end> </pre> In http.log was written: <pre> 09/15/2016-16:43:28.023114 test.test [**] /site/index.php/admin/pages/update/ [**] Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 [**] http://test.test/site/index.php/admin/pages/add/0/ [**] POST [**] HTTP/1.1 [**] 302 => http://test.test/site/index.php/admin/pages/add/0/ [**] 0 bytes [**] 10.1.1.1:61062 -> 10.1.1.2:80 </pre> Samle of request wich Suricata "*NOT* sees": <pre> POST /site/index.php/admin/pages/update/ HTTP/1.1 Host: test.test User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Accept: **/** Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://test.test/site/index.php/admin/pages/add/0/ Cookie: bigtree_admin[email]=test%40test; bigtree_admin[login]=%5B%22session-57d952c595a234.11790882%22%2C%22chain-57d922277a2ab9.37400245%22%5D; PHPSESSID=advu78fpbhdlj8njh8dsiq80p4; hide_bigtree_bar=; bigtree_admin%5Bpage_properties_open%5D=on Content-Type: multipart/form-data; boundary=b788b047b8e345b792cdc1f81fef2106 Content-Length: *774* Connection: close Cache-Control: max-age=0 --b788b047b8e345b792cdc1f81fef2106 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 --b788b047b8e345b792cdc1f81fef2106-- <end> </pre> In http.log nothing!