Change to suricata.yaml illustrates bug 7213
There is not yet a valid http1.response frame for the second request
after the gap
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
types:
+ - frame:
+ # this should not affect detection (but it did)
+ enabled: yes
- alert:
payload: yes # enable dumping payload in Base64
payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
alert.signature_id: 2
payload_printable: "HTTP/1.0 200 OK\r\nDate: Mon, 31 Aug 2009 20:25:50 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\n"
payload_length: 136
-- filter:
- count: 1
- match:
- event_type: alert
- alert.signature_id: 3
- payload_printable: "HTTP/1.0 200 OK\r\nDate: Mon, 31 Aug 2009 20:25:50 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\n[127 bytes missing]AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHTTP/1.0 200 OK\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\nHello People\r\n"
- payload_length: 324
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 4
payload_printable: "HTTP/1.0 200 OK\r\nDate: Mon, 31 Aug 2009 20:25:50 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\n[127 bytes missing]AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHTTP/1.0 200 OK\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\nHello People\r\n"
+ payload_length: 324
- filter:
count: 1
match:
projects / thirdparty / suricata-verify.git / commitdiff
