[Oisf-users] single flow treated as two?
Duane Howard
duane.security at gmail.com
Fri Nov 14 17:18:06 UTC 2014
I'm back again. =)
While processing a pcap that has 1 session, 5 packets Suricata seems to be
treating this flow as two unique flows and assigning to two different flow
handler queues:
$ suricata -c configs/suricata.yaml -r test.pcap
<snip>
14/11/2014 -- 17:10:26 - <Notice> - Pcap-file module read 5 packets, 614
bytes
14/11/2014 -- 17:10:26 - <Info> - AutoFP - Total flow handler queues - 6
14/11/2014 -- 17:10:26 - <Info> - AutoFP - Queue 0 - pkts: 3
flows: 1
14/11/2014 -- 17:10:26 - <Info> - AutoFP - Queue 1 - pkts: 2
flows: 1
<snip>
14/11/2014 -- 17:10:26 - <Info> - Stream TCP processed 3 TCP packets
14/11/2014 -- 17:10:26 - <Info> - Fast log output wrote 0 alerts
14/11/2014 -- 17:10:26 - <Info> - (Detect1) Alerts 0
14/11/2014 -- 17:10:26 - <Info> - Alert unified2 module wrote 0 alerts
14/11/2014 -- 17:10:26 - <Info> - Stream TCP processed 2 TCP packets
14/11/2014 -- 17:10:26 - <Info> - Fast log output wrote 0 alerts
<snip>
$tcpdump -n -r test.pcap
01:13:01.020098 IP 172.18.153.6.28865 > 222.173.116.208.80: Flags [S], seq
4179007559, win 65535, length 0
01:13:01.020128 IP 222.173.116.208.80 > 172.18.153.6.28865: Flags [S.], seq
2638191351, ack 4179007560, win 65535, length 0
01:13:01.020159 IP 172.18.153.6.28865 > 222.173.116.208.80: Flags [.], ack
1, win 65535, length 0
01:13:01.020188 IP 172.26.223.15.28865 > 222.173.116.208.80: Flags [P.],
seq 4179007560:4179007904, ack 2638191352, win 65535, length 344
01:13:01.020220 IP 222.173.116.208.80 > 172.26.223.15.28865: Flags [P.],
ack 344, win 65535, length 0
The content of that 4th packet should generate an alert (and does in
Snort), I'm thinking because I check for 'flow:established,to_server' this
is failing because the 5 packets (1 session) are assigned to two different
Detect threads? Since one detect thread would see the three-way handshake
and the other sees the HTTP content I'm looking for?
These are generated pcaps, not from real traffic, but everything *should*
look like real traffic.
Thoughts?
./d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141114/98fa3614/attachment.html>
More information about the Oisf-users
mailing list