<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>I’m writing an application layer module that trigger events, and I was puzzled why I wasn’t seeing alerts despite running packets through that triggered event and loading rules to generate alerts when the events are triggered.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I discovered that SigMatchSignatures is fussy about flow being established before signaling a match. This fussiness creates unexpected behavior on asymmetric flows: missing alerts and alerts associated with the wrong packet.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Another thing I noticed that surprised me is that events are associated with flows but don’t carry information about the packet. Combine this with fussiness about flow, and alerts can generated for events that refer to the wrong packet. Consider a packet at the start of the flow that causes the application layer module to generate an event. Because the flow hasn’t been established, an alert won’t be generated for the packet. But the event is still pending so an alert may be generated for another packet in the flow once flow is established.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Does Suricata have ambitions to work correctly in the presence of asymmetric flows?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>