Support #1890: Suricata doesn't intercept HTTP-traffic with content size > 773 bytes - Suricata - Open Information Security Foundation

Support #1890

Updated by Victor Julien over 7 years ago

The Suricata doesn't intercept HTTP-traffic with size of content > 773 bytes, also doesn't log it and doaes't work any rules for it. 

 Samle of request wich Suricata "sees": 
 <pre> 
 POST /site/index.php/admin/pages/update/ HTTP/1.1 
 Host: test.test 
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 
 Accept: **/** 
 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 
 Accept-Encoding: gzip, deflate 
 Referer: http://test.test/site/index.php/admin/pages/add/0/ 
 Cookie: bigtree_admin[email]=test%40test; bigtree_admin[login]=%5B%22session-57d952c595a234.11790882%22%2C%22chain-57d922277a2ab9.37400245%22%5D; PHPSESSID=advu78fpbhdlj8njh8dsiq80p4; hide_bigtree_bar=; bigtree_admin%5Bpage_properties_open%5D=on 
 Content-Type: multipart/form-data; boundary=b788b047b8e345b792cdc1f81fef2106 
 Content-Length: *773* 
 Connection: close 
 Cache-Control: max-age=0 

 --b788b047b8e345b792cdc1f81fef2106 
 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 

 --b788b047b8e345b792cdc1f81fef2106-- 

 <end> 
 </pre> 
 In http.log was written: 
 <pre> 
 09/15/2016-16:43:28.023114 test.test [**] /site/index.php/admin/pages/update/ [**] Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 [**] http://test.test/site/index.php/admin/pages/add/0/ [**] POST [**] HTTP/1.1 [**] 302 => http://test.test/site/index.php/admin/pages/add/0/ [**] 0 bytes [**] 10.1.1.1:61062 -> 10.1.1.2:80 
 </pre> 


 Samle of request wich Suricata "*NOT* sees": 
 <pre> 
 POST /site/index.php/admin/pages/update/ HTTP/1.1 
 Host: test.test 
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 
 Accept: **/** 
 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 
 Accept-Encoding: gzip, deflate 
 Referer: http://test.test/site/index.php/admin/pages/add/0/ 
 Cookie: bigtree_admin[email]=test%40test; bigtree_admin[login]=%5B%22session-57d952c595a234.11790882%22%2C%22chain-57d922277a2ab9.37400245%22%5D; PHPSESSID=advu78fpbhdlj8njh8dsiq80p4; hide_bigtree_bar=; bigtree_admin%5Bpage_properties_open%5D=on 
 Content-Type: multipart/form-data; boundary=b788b047b8e345b792cdc1f81fef2106 
 Content-Length: *774* 
 Connection: close 
 Cache-Control: max-age=0 

 --b788b047b8e345b792cdc1f81fef2106 
 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 

 --b788b047b8e345b792cdc1f81fef2106-- 

 <end> 
 </pre> 

 In http.log nothing!

Back

Project

General

Profile

Suricata

Support #1890