Bug #5520
closedIf alert status code is 200, some fields are missing
Description
There is an bug when you make a request that does pop an alert, and it was successful with status code 200. Results In eve.json missing some fields such as status.code , content-type...
I attached a file with the traffic going on. Note: only for status 200.
I forged a fake pcap file with the same scenario, but it doesn't show the alert in fast.log when you analyze it with "suricata -r file.pcap". (Note, however when you are listening on an interface, the alert pops up but with missing json fields)
Steps to reproduce:
Docker image: https://hub.docker.com/r/vulnerables/web-dvwa/
Suricata Alert: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ELF File Uploaded"; flow:established,to_server; http.request_body; content:"|7F|ELF"; classtype:bad-unknown; sid:2017054; rev:3; metadata:created_at 2013_06_22, updated_at 2020_04_24;)
1. Use docker image and expose locally.
2. sign in with admin:admin, create a database and then sign in with admin:password
3. go to file upload, upload any small .elf file such as http://timelessname.com/elfbin/ while listening on Docker0 interface.
4. You will see an alert generated, and theres missing fields in eve.json.
Files