[Oisf-users] Suricata treating two flows as one?

[Duane Howard]

In a test pcap, I have two distinct sessions (neither is closed) that look
something like:

SYN, SYN-ACK, ACK, HTTP-GET
SYN, SYN-ACK, ACK, HTTP-GET

They do both have the same 5-tuple so they'd look like the same session if
there wasn't a new 3-way handshake. (imo the second three-way handshake
should kill the first session and start a new one).

Snort will alert twice (once per flow) but Suricata will only alert once
and the recorded time seems to be the time of the packet at the final ACK
for the second flow. Where snort's alert times map directly to the packet
times of the GET request that my rule is looking for.

I'm still new to Suricata, is there some flow/sessionization setup
configuration I'm missing that would cause this behavior? I'm on 2.0.4
built from source. Also, why would the alert time in the fast.log map to a
packet *after* the suspect content?

Thanks,
Duane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141113/798f9b8a/attachment.html>