Suricata

This was raised by a discussion on our Discord server.

Two users reached out because Suri seemed to be randomly omitting payloads from some of the alerts.

Apparently, this is happening because some HTTP midstream packets are not seen by Suri, even if we have stream.midstream=true.
Wireshark is able to properly tag such traffic as HTTP.

This also leads to Suri not logging associated payload to some alert events in the eve-log, as it doesn't recognize the stream as HTTP.

The rule used by them to generate the alerts was:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
 known malicious user-agent string - Mirai"; flow:to_server,established;
 content:"User-Agent|3A| Hello, world"; fast_pattern:only; http_header;
 metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
 policy security-ips drop, service HTTP;
reference:url,www.virustotal.com/en/file/
3908cc1d8001f926031fbe55ce104448dbc20c9795b7c3cfbd9abe7b789f899d/analysis/;
 classtype:trojan-activity; sid:58992; rev:1;)