[Oisf-devel] assymmetric flow, app layer event, ...

[Carl Soeder]

I'm writing an application layer module that trigger events, and I was
puzzled why I wasn't seeing alerts despite running packets through that
triggered event and loading rules to generate alerts when the events are
triggered.

 

I discovered that SigMatchSignatures is fussy about flow being established
before signaling a match. This fussiness creates unexpected behavior on
asymmetric flows: missing alerts and alerts associated with the wrong
packet.

 

Another thing I noticed that surprised me is that events are associated with
flows but don't carry information about the packet. Combine this with
fussiness about flow, and alerts can generated for events that refer to the
wrong packet. Consider a packet at the start of the flow that causes the
application layer module to generate an event. Because the flow hasn't been
established, an alert won't be generated for the packet. But the event is
still pending so an alert may be generated for another packet in the flow
once flow is established.

 

Does Suricata have ambitions to work correctly in the presence of asymmetric
flows?

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130315/1efeb3ff/attachment.html>