[Oisf-users] How to use Suricata detect one way flow?????

[Qinwen Hu]

Hi All,

I used the following scripts for detecting one way flow.

function init (args)
    local needs = {}
    needs["packet"] = tostring(true)
    return needs
end

function match(args)
    ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
    ts_pkts, ts_bytes, tc_pkts, to_bytes = SCFlowStats()
    tmpstr = string.format("Version: %s; srcip%s:%s -> dstip %s:%s; ts: %s
and tc: %s", ipver, srcip, sp, dstip, dp, ts_pkts, tc_pkts)
    print (tmpstr)
    if ts_pkts == nil then
        return 0
    end

    if ts_pkts > 10 and tc_pkts == 0 then
        return 1
    elseif tc_pkts > 10 and ts_pkts == 0 then
        return 1
    end
    return 0
end


I ran the script for one minute,   when I checked my results, I got
confused. I expected the SCFlowStats() will return the flow information
based on the 5-tuple information. So the script can classify the following
packets as one flow.

Version: 4; srcip 210.7.45.14:443 -> dstip 130.216.182.154:51218; ts: 1 and
tc: 0

Version: 4; srcip 210.7.45.14:443 -> dstip 130.216.182.154:51218; ts: 3 and
tc: 0
Version: 4; srcip 210.7.45.14:443 -> dstip 130.216.182.154:51218; ts: 3 and
tc: 0

Version: 4; srcip 130.216.182.154:51218 -> dstip 210.7.45.14:443; ts: 1 and
tc: 0

But the results show different information.  Why the packet from
130.216.182.154
to  210.7.45.14 didn't count as tc ?


I just wondering, if anyone has same problem, do i miss something in the
scrip?

Many thanks for your help.



Kind regards,



Steven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151016/e10aecd0/attachment.html>