Forum Discussion
Kevin_Stewart
Jul 08, 2014Employee
do i send the tcp traffic to the sideband the same way?
You can, but be mindful of the format. An HTTP request is a combination of method/version/resource line, headers, and any payload.
GET /foo HTTP/1.1
Host: foo.example.com
Accept: */*
An HTTP response is a combination of status/version line, headers, and any payload.
HTTP/1.1 200 OK
Date: some date
Server: Apache
Content-Type: text/html
Content-Length: 3600
Payload data
A TCP packet that carries HTTP traffic will be a combination of TCP headers and TCP payload. The TCP payload will be the entire HTTP message (or likely some of it).
TCP headers
TCP payload:
GET /foo HTTP/1.1\r\nHost: foo.example.com\r\nAccept: */*\r\n\r\n
If you dump the TCP::payload to syslog, you won't see the \r\n CRLF characters, but they're there. If the IDS needs the data in proper HTTP request or response format, you'll need to be careful not to destroy this existing formatting if editing the content.