Murad

Not sure if it's related or not, but the http_extractor module, assuming you're using the one from the base and not a custom one, doesn't output anything for downstream modules...

Ah, yeah, that's because your installation is system-wide and your modules are not, you'll need to inform chopshop where your custom modules are by either using the -B or -M...

I actually really dislike nids/pynids -- it was the requirement for chopshop when it was first created since pynids was heavily used in my shop and others as the basis...

Not sure if you found a work around, but take a look at the verbose-unicode-error-msgs branch. I added some code a while back to handle unicode a bit differently --...

What's your full invocation? From what you've said this was data captured on a proxy server? If that's the case the proxy server should be making outbound connections to regular...

Hmm, have you verified whether the http data is 1.0 or 1.1? I don't think the back-end code (libhtp) supports 2.0. If that's not it, it could be a bug...

:( libnids (what chopshop uses in the backend to process packets) needs to see the handshake. It's a known and very annoying limitation ...

This is a bug in m2crypto (see https://gitlab.com/m2crypto/m2crypto/issues/69). The easiest work around is to use the python-m2crypto package on ubuntu/debian until the pypi version is fixed. The docker build is...

So, I took a look at the pcap and they're using an http upgrade -- have you seen something similar in the wild? I was under the impression that none...