Bug #5437
Updated by Juliana Fajardini Reichow over 2 years ago
This was raised by a discussion on our Discord server. Two users reached out because Suri seemed to be randomly omitting payloads from some of the alerts. Apparently, this is happening because some HTTP midstream packets are not seen by Suri, even if we have _stream.midstream=true_. _stream.midstream=true_ Wireshark is able to properly tag such traffic as HTTP. This also leads to Suri not logging associated payload to some alert events in the eve-log, as it doesn't recognize the stream as HTTP. The rule used by them to generate the alerts was: <pre> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Mirai"; flow:to_server,established; content:"User-Agent|3A| Hello, world"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service HTTP; reference:url,www.virustotal.com/en/file/ 3908cc1d8001f926031fbe55ce104448dbc20c9795b7c3cfbd9abe7b789f899d/analysis/; classtype:trojan-activity; sid:58992; rev:1;) </pre>