[Oisf-users] a question about session detection
Risto Vaarandi
Risto.Vaarandi at seb.ee
Thu Jan 14 09:40:30 UTC 2016
Hi all,
I have a question about how the "flow:" match option is interpreted by Suricata. One of my test signatures looks like this:
alert tcp any any -> any 8023 (msg:"Session to port 8023 established"; flow:established,to_server; threshold: type both, track by_dst, count 1, seconds 3600; classtype:bad-unknown; sid:8000001; rev:1;)
When connecting to port 8023/tcp on a host which responds with RST-ACK packet to the connection attempt, a repeated SYN-packet from the client with the same source port number triggers this signature. Previously, I was thinking that only the exchange of SYN and SYN-ACK packets will mark the connection as established, but apparently it also happens when SYN and RST-ACK are exchanged. Is this expected behavior?
Kind regards,
risto
More information about the Oisf-users
mailing list