Suricata

detail sees also in https://forum.suricata.io/t/suricata-cant-output-response-when-meet-a-tcp-retransmission-after-a-response/4160
build-info

Please include the following information with your help request:

Suricata version
7.0.1
Operating system and/or Linux distribution
ubuntu 20.04
How you installed Suricata (from source, packages, something else)
source

repro step:
1.build suricata with pfring（other config keeps default）

2.run suricata with default config except pfring:

pfring:
- interface: enp132s0f0
threads: 32
cluster-id: 99
cluster-type: cluster_flow
bypass: yes
checksum-checks: no

3.edit one rule:

alert http any any -> any any ( msg:".svn info leak"; http.method; content:"GET"; flow:to_server,established; flowbits:set,svn_entries_information_leak; http.uri; content:"|2e|svn|2f|entries"; nocase; classtype: information-leakage; sid:1; rev:1;)

4.run suricata -c /path/to/config.yaml --pfring=enp132s0f0 -S /path/to/rule

5.replay the pcap(see attachment) to enp132s0f0, or open pcap file by suricata with -r args.

then i’ll got a alert without http response header.