[Oisf-devel] assymmetric flow, app layer event, ...
Peter Manev
petermanev at gmail.com
Sat Mar 16 10:23:37 UTC 2013
On Fri, Mar 15, 2013 at 6:03 PM, Carl Soeder <csoeder at bbn.com> wrote:
> I’m writing an application layer module that trigger events, and I was
> puzzled why I wasn’t seeing alerts despite running packets through that
> triggered event and loading rules to generate alerts when the events are
> triggered.****
>
> ** **
>
> I discovered that SigMatchSignatures is fussy about flow being established
> before signaling a match. This fussiness creates unexpected behavior on
> asymmetric flows: missing alerts and alerts associated with the wrong
> packet.
>
Would you be able to share a reproducible case/scenario/pcap?
Is that very same behaviour replicated by alert-debug.log ?
> ****
>
> ** **
>
> Another thing I noticed that surprised me is that events are associated
> with flows but don’t carry information about the packet. Combine this with
> fussiness about flow, and alerts can generated for events that refer to the
> wrong packet. Consider a packet at the start of the flow that causes the
> application layer module to generate an event. Because the flow hasn’t been
> established, an alert won’t be generated for the packet. But the event is
> still pending so an alert may be generated for another packet in the flow
> once flow is established.****
>
> ** **
>
> Does Suricata have ambitions to work correctly in the presence of
> asymmetric flows?****
>
> ** **
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
--
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130316/01c2b86f/attachment-0002.html>
More information about the Oisf-devel
mailing list