[Oisf-users] a question about session detection

Risto Vaarandi Risto.Vaarandi at seb.ee
Thu Jan 14 09:40:30 UTC 2016

Hi all,
I have a question about how the "flow:" match option is interpreted by Suricata. One of my test signatures looks like this:

alert tcp any any -> any 8023 (msg:"Session to port 8023 established"; flow:established,to_server; threshold: type both, track by_dst, count 1, seconds 3600; classtype:bad-unknown; sid:8000001; rev:1;)

When connecting to port 8023/tcp on a host which responds with RST-ACK packet to the connection attempt, a repeated SYN-packet from the client with the same source port number triggers this signature. Previously, I was thinking that only the exchange of SYN and SYN-ACK packets will mark the connection as established, but apparently it also happens when SYN and RST-ACK are exchanged. Is this expected behavior?

Kind regards,

More information about the Oisf-users mailing list