Bug #264
closed
No payload for http alert data.
Added by Edward Fjellskål about 14 years ago.
Updated about 13 years ago.
Description
The http_* keywords use the http state which is working on top of the stream engine.
It currently works on ACK'd data, so the packet that contained the actual data is not the one triggering the alert, as the ACK comes in through a later packet.
There should probably be crafted a payload for the alerts though...
- Assignee set to Victor Julien
- Target version set to 1.1beta2
Will be tasked to one of the OISF devs.
- Status changed from New to Assigned
- % Done changed from 0 to 50
In current git the first part of the solution is available: it logs the reassembled payload to alert-debuglog and unified2 if the signature matched on the reassembled stream. The app layer state, such as http, is still a todo.
- Target version changed from 1.1beta2 to 1.1beta3
App layer (such as http) state based alerts will be addressed in 1.1beta3.
- Assignee changed from Victor Julien to Eric Leblond
- Estimated time set to 12.00 h
- Due date set to 10/17/2011
- Priority changed from Normal to High
- Status changed from Assigned to Closed
Closed with the following notes:
1. prelude is still a todo (#355)
2. unified1 won't get updated as it's scheduled for removal (#353)
3. packets are logged from the stream engine segment list: this are already corrected for overlaps and retransmissions so they may not fully reflect the actual packet on the wire
4. in addition to 3, the packets in the segment list have payload only, so a fake minimal ip4/ip6 and tcp header is logged
Also available in: Atom
PDF