[Oisf-users] Question "don’t allow midstream session pickups"
Cloherty, Sean E
scloherty at mitre.org
Wed Feb 7 17:46:55 UTC 2018
Thanks Steve --- That is much clearer.
Ultimately my concern is the possibility of a midstream pickup causing the src and dst hosts to be reversed even with the async set to true. IIRC I am pretty sure that the docs indicate that once the directionality for any pair of hosts is set, it doesn’t get changed for an indefinite period of time.
Sean
From: Steve Castellarin [mailto:steve.castellarin at gmail.com]
Sent: Wednesday, February 07, 2018 12:37 PM
To: Cloherty, Sean E <scloherty at mitre.org>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Question "don’t allow midstream session pickups"
Hey Sean,
Take a look at http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html, section 8.1.12.3 (Stream-engine). There's a much better explanation than that in the comments of the YAML. As for "midstream: true" I think it means Suricata will not ignore streams that were created before Suricata started. I'm not sure about "async-onside: true/false".
Steve
On Wed, Feb 7, 2018 at 12:26 PM, Cloherty, Sean E <scloherty at mitre.org<mailto:scloherty at mitre.org>> wrote:
I’ve got a question about something that has made me wonder for a while –
Does midstream: false “#don’t allow midstream session pickups” mean that it is not being allowed or is it that “don’t allow midstream” is not allowing midstream pickup if the value is true?
I am assuming that the true or false indicates that the function is enabled or disabled. However, reading the setting value and the remark following … the double negative “false and “don’t allow” leaves me wondering.
I have the same question for async-oneside: false.
midstream: false # don't allow midstream session pickups
async-oneside: false # don't enable async stream handling
Sean Cloherty
InfoSec Engineer/Scientist, Lead
MITRE Corporation
office (781) 271-3707<tel:(781)%20271-3707>
cell (781) 697-8043<tel:(781)%20697-8043>
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180207/5b66feac/attachment-0002.html>
More information about the Oisf-users
mailing list