[Oisf-users] Suricata treating two flows as one?

Ken Steele ken_steele at yahoo.com
Thu Nov 13 19:25:02 UTC 2014 

It seems like some alert should be generate for a second SYN on the same 5-tuple, since that is unusual.

-Ken

> On Nov 13, 2014, at 2:17 PM, Duane Howard <duane.security at gmail.com> wrote:
> 
> This makes, sense, but if the content I'm looking for occurs twice in that 'session' should I not get a second alert? Is there something that says 'only alert once every so often'?
> I've got an empty threshold.config so I'm unsure of anything that might be built in to cause this...
> 
> ./d
> 
>> On Thu, Nov 13, 2014 at 11:10 AM, Victor Julien <lists at inliniac.net> wrote:
>> On 11/13/2014 07:29 PM, Duane Howard wrote:
>> > In a test pcap, I have two distinct sessions (neither is closed) that
>> > look something like:
>> >
>> > SYN, SYN-ACK, ACK, HTTP-GET
>> > SYN, SYN-ACK, ACK, HTTP-GET
>> >
>> > They do both have the same 5-tuple so they'd look like the same session
>> > if there wasn't a new 3-way handshake. (imo the second three-way
>> > handshake should kill the first session and start a new one).
>> 
>> Until the flow engine times out a TCP sesssion, we consider SYN packets
>> on such sessions erroneous. The time out is controlled by:
>> 
>> flow-timeouts:
>>   tcp:
>>     new: 60
>>     established: 3600 # <- this
>>     closed: 120
>> 
>> Only if the TCP state has moved to CLOSED, which is after a
>> successful/valid FIN handshake or RST, new SYN's are accepted. In this
>> case we do reuse the flow structure itself, but reset the TCP session.
>> This will lead to an increment of the tcp.reuse counter in your stats.log.
>> 
>> > Snort will alert twice (once per flow) but Suricata will only alert once
>> > and the recorded time seems to be the time of the packet at the final
>> > ACK for the second flow. Where snort's alert times map directly to the
>> > packet times of the GET request that my rule is looking for.
>> >
>> > I'm still new to Suricata, is there some flow/sessionization setup
>> > configuration I'm missing that would cause this behavior? I'm on 2.0.4
>> > built from source. Also, why would the alert time in the fast.log map to
>> > a packet *after* the suspect content?
>> 
>> In IDS mode we inspect the HTTP session based on stream reassembly,
>> which runs on ACK'd data. So only after the ACK do we inspect most of
>> the rules.
>> 
>> There is some separate logic for when the flow ends (times out) w/o that
>> ACK.
>> 
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141113/f6ed6521/attachment-0002.html>

More information about the Oisf-users mailing list