Bug #1946
closedcan't get response info in some situation
Description
can't get http response in some situation.,and the http log show
"status":"-","ResponseBytes":"0"
the function HttpGetResponseLine(),HttpGetRawResponseHeaders(),HttpGetResponseBody() are get null.
The http request and response are:
GET /teamlog/worklog-data/showSharedPeople/ HTTP/1.1
Host: sn.xxxx.com:8080
Connection: keep-alive
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36
DNT: 1
Referer: http://sn.xxxx.com:8080/teamlog/worklog/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh,zh-CN;q=0.8,en-US;q=0.6,en;q=0.4,zh-TW;q=0.2,de;q=0.2
Cookie: JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e;
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Content-Language: zh-CN
Transfer-Encoding: chunked
Date: Wed, 09 Nov 2016 06:47:50 GMT
[{"shared":1,"id":2,"username":"......"},{"shared":1,"id":7,"username":"........."},{"shared":0,"id":1,"username":"admin"},{"shared":0,"id":3,"username":"......"},{"shared":0,"id":9,"username":"........."}]
All the http log :
{"timestamp":"11/08/16-19:56:20.432093","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"-","Cookie":"JSESSIONID=E9C3B12FCE7419C3507E308AFF27526A; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/","status":"302","ResponseBytes":"0","clientIP":"172.19.100.133","clientPort":55406,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/08/16-19:56:20.444820","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"-","Cookie":"JSESSIONID=53192C23E69C63D3C51B36E759C13DC1; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog","status":"302","ResponseBytes":"0","clientIP":"172.19.100.133","clientPort":55406,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/08/16-19:56:20.454456","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"-","Cookie":"JSESSIONID=53192C23E69C63D3C51B36E759C13DC1; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/","status":"302","ResponseBytes":"0","clientIP":"172.19.100.133","clientPort":55406,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/08/16-19:56:20.471967","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"-","Cookie":"JSESSIONID=53192C23E69C63D3C51B36E759C13DC1; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/login/%2Fworklog%2F","status":"200","ResponseBytes":"5121","clientIP":"172.19.100.133","clientPort":55406,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/08/16-19:56:29.663941","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/login/%2Fworklog%2F","Cookie":"JSESSIONID=53192C23E69C63D3C51B36E759C13DC1; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"POST","hostame":"sn.xxxx.com","URL":"/teamlog/login","status":"200","ResponseBytes":"5165","clientIP":"172.19.100.133","clientPort":55406,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/09/16-16:03:45.662537","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/templates/BrowseLogItemView.jsp","status":"200","ResponseBytes":"1128","clientIP":"172.19.100.133","clientPort":54516,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/09/16-16:03:45.559272","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/res/imgs/default-avatar.png?t=539","status":"200","ResponseBytes":"4001","clientIP":"172.19.100.133","clientPort":54515,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/09/16-16:03:45.664139","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/templates/BrowseLogCommentView.jsp","status":"200","ResponseBytes":"570","clientIP":"172.19.100.133","clientPort":54517,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/09/16-16:03:45.666645","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/templates/EditLogPeopleView.jsp","status":"200","ResponseBytes":"867","clientIP":"172.19.100.133","clientPort":54519,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/09/16-16:03:45.654500","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/templates/BrowseLogHeaderView.jsp","status":"200","ResponseBytes":"1024","clientIP":"172.19.100.133","clientPort":54515,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/09/16-16:03:45.664082","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/templates/BrowseLogPostCommentView.jsp","status":"-","ResponseBytes":"0","clientIP":"172.19.100.133","clientPort":54515,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/09/16-16:03:45.956380","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog-data/getTags/","status":"200","ResponseBytes":"247","clientIP":"172.19.100.133","clientPort":54519,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/09/16-16:03:45.666677","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog/templates/EditLogView.jsp","status":"200","ResponseBytes":"1280","clientIP":"172.19.100.133","clientPort":54518,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/09/16-16:03:45.954246","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog-data/showSharedPeople/","status":"-","ResponseBytes":"0","clientIP":"172.19.100.133","clientPort":54515,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/09/16-16:03:45.964995","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog-data/showSharedPeople/","status":"-","ResponseBytes":"0","clientIP":"172.19.100.133","clientPort":54515,"serverIP":"172.17.106.190","serverPort":8080} {"timestamp":"11/09/16-16:03:45.968752","UA":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36","X-Forwarded-For":"-","Referer":"http://sn.xxxx.com:8080/teamlog/worklog/","Cookie":"JSESSIONID=9376EF8E2A0FCF00C07A309BCC59827B; TeamLog=5c5eff95a1cc1d3514899209562e852e; _pcid_=d397a8bb9eca4f0782103f9a27d6139e; Hm_lvt_67f90644532efbe0383b928e0af775fa=1465984181; QCOOKIE=323431383632373138302c323431383638333134342c; __utma=15969214.1934399813.1467100157.1467103120.1469852869.3; __utmz=15969214.1467100157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); csrftoken=2IOphx0cuqfmxZVzujUbNCxokbR9veRA; auth_token=f2f5bf820b1e822012bdef0681b260cc3454e1ca","Protocol":"HTTP/1.1","Method":"GET","hostame":"sn.xxxx.com","URL":"/teamlog/worklog-data/showWorkLogData?period=2016-11-06%2C2016-11-13&people=1","status":"200","ResponseBytes":"2674","clientIP":"172.19.100.133","clientPort":54518,"serverIP":"172.17.106.190","serverPort":8080}
the pcap is in [词典] attachment
Files
Updated by Andreas Herz about 8 years ago
- Assignee set to Anonymous
- Target version set to TBD
What version of suricata are you running and how are you running suricata?
Could you also attach the relevant parts of your suricata.yaml?
Updated by wilson green about 8 years ago
The version of suricata is 3.1.3, and it also happend in 3.1.2
[root@localhost bin]# ./suricata --build-info This is Suricata version 3.1.3 RELEASE Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS SIMD support: SSE_4_2 SSE_4_1 SSE_3 Atomic intrisics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 4.4.7 20120313 (Red Hat 4.4.7-11), C version 199901 compiled with _FORTIFY_SOURCE=0 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.23, linked against LibHTP v0.5.23 Suricata Configuration: AF_PACKET support: yes PF_RING support: yes NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes hiredis support: yes Prelude support: no PCRE jit: yes LUA support: yes, through luajit libluajit: yes libgeoip: no Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Hyperscan support: no Libnet support: no Suricatasc install: yes Profiling enabled: no Profiling locks enabled: no Development settings: Coccinelle / spatch: no Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Generic build parameters: Installation prefix: /opt/suricata Configuration directory: /opt/suricata/etc/suricata/ Log directory: /opt/suricata/var/log/suricata/ --prefix /opt/suricata --sysconfdir /opt/suricata/etc --localstatedir /opt/suricata/var Host: x86_64-pc-linux-gnu Compiler: gcc (exec name) / gcc (real) GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Position Independent Executable enabled: no CFLAGS -g -O2 -march=native PCAP_CFLAGS -I/usr/local/include SECCFLAGS
the http config is :
libhtp:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 35mb
response-body-limit: 512mb
# inspection limits
request-body-minimal-inspect-size: 35mb
request-body-inspect-window: 35mb
response-body-minimal-inspect-size: 35mb
response-body-inspect-window: 512mb
# response body decompression (0 disables)
response-body-decompress-layer-limit: 3
# auto will use http-body-inline mode in IPS mode, yes or no set it statically
http-body-inline: auto
# Take a random value for inspection sizes around the specified value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.
#randomize-inspection-sizes: yes
# If randomize-inspection-sizes is active, the value of various
# inspection size will be choosen in the [1 - range%, 1 + range%]
# range
# Default value of randomize-inspection-range is 10.
#randomize-inspection-range: 10
# decoding
double-decode-path: no
double-decode-query: no
server-config:
the
Updated by wilson green about 8 years ago
- File suricata.yaml suricata.yaml added
sorry ,I give the wrong config.this is the right.
he version of suricata is 3.1.3, and it also happend in 3.1.2
wilson@Wilson ~$ suricata --build-info This is Suricata version 3.1.3 RELEASE Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS SIMD support: SSE_4_2 SSE_4_1 SSE_3 Atomic intrisics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1), C version 199901 compiled with -fstack-protector compiled with _FORTIFY_SOURCE=2 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.23, linked against LibHTP v0.5.23 Suricata Configuration: AF_PACKET support: no PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes hiredis support: no Prelude support: no PCRE jit: yes LUA support: yes, through luajit libluajit: yes libgeoip: no Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Hyperscan support: no Libnet support: yes Suricatasc install: yes Profiling enabled: no Profiling locks enabled: no Development settings: Coccinelle / spatch: no Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Generic build parameters: Installation prefix: /usr/local/Cellar/suricata/3.1.2 Configuration directory: /usr/local/Cellar/suricata/3.1.2/etc/suricata/ Log directory: /usr/local/Cellar/suricata/3.1.2/var/log/suricata/ --prefix /usr/local/Cellar/suricata/3.1.2 --sysconfdir /usr/local/Cellar/suricata/3.1.2/etc --localstatedir /usr/local/Cellar/suricata/3.1.2/var Host: x86_64-apple-darwin16.1.0 Compiler: llvm-gcc (exec name) / clang (real) GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Position Independent Executable enabled: no CFLAGS -g -O2 -DOS_DARWIN -march=native PCAP_CFLAGS SECCFLAGS
the config is :
http:
enabled: yes
# memcap: 64mb
# default-config: Used when no server-config matches
# personality: List of personalities used by default
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
# response-body-decompress-layer-limit:
# Limit to how many layers of compression will be
# decompressed. Defaults to 2.
#
# server-config: List of server configurations to use if address matches
# address: List of ip addresses or networks for this block
# personalitiy: List of personalities used by this block
# request-body-limit: Limit reassembly of request body for inspection
# by http_client_body & pcre /P option.
# response-body-limit: Limit reassembly of response body for inspection
# by file_data, http_server_body & pcre /Q option.
# double-decode-path: Double decode path section of the URI
# double-decode-query: Double decode query section of the URI
#
# uri-include-all: Include all parts of the URI. By default the
# 'scheme', username/password, hostname and port
# are excluded. Setting this option to true adds
# all of them to the normalized uri as inspected
# by http_uri, urilen, pcre with /U and the other
# keywords that inspect the normalized uri.
# Note that this does not affect http_raw_uri.
# Also, note that including all was the default in
# 1.4 and 2.0beta1.
#
# meta-field-limit: Hard size limit for request and response size
# limits. Applies to request line and headers,
# response line and headers. Does not apply to
# request or response bodies. Default is 18k.
# If this limit is reached an event is raised.
#
# Currently Available Personalities:
# Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
# IIS_7_0, IIS_7_5, Apache_2
libhtp:
default-config:
personality: IDS
# Can be specified in kb, mb, gb. Just a number indicates
# it's in bytes.
request-body-limit: 100mb
response-body-limit: 100mb
# inspection limits
request-body-minimal-inspect-size: 32mb
request-body-inspect-window: 4mb
response-body-minimal-inspect-size: 40mb
response-body-inspect-window: 16mb
# response body decompression (0 disables)
response-body-decompress-layer-limit: 2
# auto will use http-body-inline mode in IPS mode, yes or no set it statically
http-body-inline: auto
# Take a random value for inspection sizes around the specified value.
# This lower the risk of some evasion technics but could lead
# detection change between runs. It is set to 'yes' by default.
#randomize-inspection-sizes: yes
# If randomize-inspection-sizes is active, the value of various
# inspection size will be choosen in the [1 - range%, 1 + range%]
# range
# Default value of randomize-inspection-range is 10.
#randomize-inspection-range: 10
# decoding
double-decode-path: no
double-decode-query: no
server-config:
#- apache:
# address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
# personality: Apache_2
# # Can be specified in kb, mb, gb. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no
#- iis7:
# address:
# - 192.168.0.0/24
# - 192.168.10.0/24
# personality: IIS_7_0
# # Can be specified in kb, mb, gb. Just a number indicates
# # it's in bytes.
# request-body-limit: 4096
# response-body-limit: 4096
# double-decode-path: no
# double-decode-query: no
Updated by Paulo Pacheco about 8 years ago
Tried this with --runmode single with good results.
The bug only happens when running with multiple threads.
Updated by wilson green about 8 years ago
yeah,it's ok with --runmode single.thx
Updated by Paulo Pacheco about 8 years ago
- File qq.com.54515-8080.pcap qq.com.54515-8080.pcap added
I've isolated the issue to a single TCP flow from the posted pcap.
It only fails in this flow:
172.019.100.133.54515-172.017.106.190.08080
Updated by Paulo Pacheco about 8 years ago
- File 1946.patch 1946.patch added
Investigating more this issue,
I found out this happens at the shutdown sequence because of a premature call for FlowForceReassembly().
If we place a sleep(1) right after suricata.c main loop or postpone the FlowForceReassembly(), we will have the correct values available for output.
I've tested attached patch, with a basic lua output script from http://suricata.readthedocs.io/en/latest/output/lua-output.html?highlight=lua%20output, and I was able to get correct values.
--------- START -------------------------------------------------
Response Line: [HTTP/1.1 200 OK]
Response Headers: [Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Content-Language: zh-CN
Transfer-Encoding: chunked
Date: Wed, 09 Nov 2016 06:47:50 GMT
]
Response Body Size: [206]
11/09/2016-08:03:45.965109 sn.yeepay.com [**] /teamlog/worklog-data/showSharedPeople/ [**] Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36 [**] 172.19.100.133:54515 -> 172.17.106.190:8080
-------- END -------------------------------------------------
The way I did to calculate the response body size
function bodySize(T)
local size = 0
if not T then
return 0
end
for key,value in pairs(T) do
size = size + string.len(value)
end
return size
end
...
print ("Response Body Size: [" .. tostring(bodySize(HttpGetResponseBody())) .. "]");
Updated by Victor Julien almost 8 years ago
- Status changed from New to Assigned
- Assignee changed from Anonymous to Victor Julien
Paulo could you share your full test script + your commandline? Would like to reproduce this but having little luck so far. Thanks!
Updated by Paulo Pacheco almost 8 years ago
Just run suricata -r qq.com.54515-8080.pcap ( pcap filtered from submitted pcap with flows that matters ) -c suricata.yaml ( The right config attached here )
If you run with --runmode single it works properly, otherwise, it fails to log to http.log the status":"-","ResponseBytes":"0",
Updated by Victor Julien almost 8 years ago
- Status changed from Assigned to Closed
- Target version changed from TBD to 3.2.1
Addressed by: https://github.com/inliniac/suricata/pull/2518
Thanks wilson for the report, and thank Paolo for helping me get a test case.