New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: add test for 'unseen' http midstream packets - v2 #877
Conversation
In a pcap where just a `http` midstream traffic packets are seen, Suri is unable to see those as `http` packets (Wireshark tags them correctly). This also seems to result in Suri sometimes not adding the packet payload to the associated alert event in the eve-log. `unseen-http-stream-01` has the pcap where http packets are not seen `unseen-http-stream-02` has a more complete pcap, where the same packets are properly identified by Suri Related to Bug #5437
Should not CI fail until ticket is resolved ? |
You're right, I wasn't sure how to proceed with the creation of this test, tbh. |
I had not looked into the ticket yet. If this is about the |
The I said I think you are right because I thought that we should have a test that is able to show that Suri has this bug. But I wasn't able to... |
Am I understanding correctly that you do not manage to reproduce the bug described in the redmine ticket https://redmine.openinfosecfoundation.org/issues/5437 ? Do I read correctly the redmine ticket that the bug is that some flows do not have |
The part I was not able to reproduce is the have payload to be printed. In both tests, that is not shown in these tests, while apparently it should be seen for the full pcap (test 02)
|
So, the S-V test should be about event_type==flow and app_layer==http, right ? |
thanks, I was feeling rather lost with how to approach this one. I'll incorporate those changes :) |
Replaced by: #926 |
Previous PR: #763
Describe changes:
01
shows the unseenhttp
packets behavior,02
shows how Suri is able to identify them when part of a larger stream.** To note **
I was not able to get Suri to log the payload, in any of the tests.
I also did not manage to get alerts with the rule shared on the Discord chat, nor with another sid that showed up in one of the logs shared by them...
Redmine ticket: Bug #5437