<div dir="ltr">Hey Sean,<div><br>Take a look at <a href="http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html">http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html</a>, section 8.1.12.3 (Stream-engine). There's a much better explanation than that in the comments of the YAML. As for "midstream: true" I think it means Suricata will not ignore streams that were created before Suricata started. I'm not sure about "async-onside: true/false".</div><div><br>Steve</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 7, 2018 at 12:26 PM, Cloherty, Sean E <span dir="ltr"><<a href="mailto:scloherty@mitre.org" target="_blank">scloherty@mitre.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_1192230601028893501WordSection1">
<p class="MsoNormal">I’ve got a question about something that has made me wonder for a while –<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Does midstream: false “#don’t allow midstream session pickups” mean that it is not being allowed or is it that “don’t allow midstream” is not allowing midstream pickup if the value is true?
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I am assuming that the true or false indicates that the function is enabled or disabled. However, reading the setting value and the remark following … the double negative “false and “don’t allow” leaves me wondering.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I have the same question for async-oneside: false.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">midstream: false # don't allow midstream session pickups<u></u><u></u></p>
<p class="MsoNormal">async-oneside: false # don't enable async stream handling<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Sean Cloherty<u></u><u></u></p>
<p class="MsoNormal">InfoSec Engineer/Scientist, Lead<u></u><u></u></p>
<p class="MsoNormal"><span style="font-family:MITRE;color:#2e74b5">MITRE</span> Corporation<u></u><u></u></p>
<p class="MsoNormal">office <a href="tel:(781)%20271-3707" value="+17812713707" target="_blank">(781) 271-3707</a><u></u><u></u></p>
<p class="MsoNormal">cell <a href="tel:(781)%20697-8043" value="+17816978043" target="_blank">(781) 697-8043</a><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br></div>