<br><br><div class="gmail_quote">On Fri, Mar 15, 2013 at 6:03 PM, Carl Soeder <span dir="ltr"><<a href="mailto:csoeder@bbn.com" target="_blank">csoeder@bbn.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal">I’m writing an application layer module that trigger events, and I was puzzled why I wasn’t seeing alerts despite running packets through that triggered event and loading rules to generate alerts when the events are triggered.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I discovered that SigMatchSignatures is fussy about flow being established before signaling a match. This fussiness creates unexpected behavior on asymmetric flows: missing alerts and alerts associated with the wrong packet.</p>
</div></div></blockquote><div> <br></div><div>Would you be able to share a reproducible case/scenario/pcap?<br>Is that very same behaviour replicated by alert-debug.log ?<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal"><u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Another thing I noticed that surprised me is that events are associated with flows but don’t carry information about the packet. Combine this with fussiness about flow, and alerts can generated for events that refer to the wrong packet. Consider a packet at the start of the flow that causes the application layer module to generate an event. Because the flow hasn’t been established, an alert won’t be generated for the packet. But the event is still pending so an alert may be generated for another packet in the flow once flow is established.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Does Suricata have ambitions to work correctly in the presence of asymmetric flows?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p></div></div><br>_______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br></blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div>