[Oisf-users] Suricata treating two flows as one?

Victor Julien lists at inliniac.net
Thu Nov 13 19:10:26 UTC 2014

On 11/13/2014 07:29 PM, Duane Howard wrote:
> In a test pcap, I have two distinct sessions (neither is closed) that
> look something like:
> They do both have the same 5-tuple so they'd look like the same session
> if there wasn't a new 3-way handshake. (imo the second three-way
> handshake should kill the first session and start a new one).

Until the flow engine times out a TCP sesssion, we consider SYN packets
on such sessions erroneous. The time out is controlled by:

    new: 60
    established: 3600 # <- this
    closed: 120

Only if the TCP state has moved to CLOSED, which is after a
successful/valid FIN handshake or RST, new SYN's are accepted. In this
case we do reuse the flow structure itself, but reset the TCP session.
This will lead to an increment of the tcp.reuse counter in your stats.log.

> Snort will alert twice (once per flow) but Suricata will only alert once
> and the recorded time seems to be the time of the packet at the final
> ACK for the second flow. Where snort's alert times map directly to the
> packet times of the GET request that my rule is looking for.
> I'm still new to Suricata, is there some flow/sessionization setup
> configuration I'm missing that would cause this behavior? I'm on 2.0.4
> built from source. Also, why would the alert time in the fast.log map to
> a packet *after* the suspect content?

In IDS mode we inspect the HTTP session based on stream reassembly,
which runs on ACK'd data. So only after the ACK do we inspect most of
the rules.

There is some separate logic for when the flow ends (times out) w/o that

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list