[Oisf-users] Question "don’t allow midstream session pickups"

Cloherty, Sean E scloherty at mitre.org
Wed Feb 7 17:46:55 UTC 2018

Thanks Steve ---  That is much clearer.

Ultimately my concern is the possibility of a midstream pickup causing the src and dst hosts to be reversed even with the async set to true.  IIRC I am pretty sure that the docs indicate that once the directionality for any pair of hosts is set, it doesn’t get changed for an indefinite period of time.


From: Steve Castellarin [mailto:steve.castellarin at gmail.com]
Sent: Wednesday, February 07, 2018 12:37 PM
To: Cloherty, Sean E <scloherty at mitre.org>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Question "don’t allow midstream session pickups"

Hey Sean,

Take a look at http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html, section (Stream-engine).  There's a much better explanation than that in the comments of the YAML.  As for "midstream: true" I think it means Suricata will not ignore streams that were created before Suricata started.  I'm not sure about "async-onside: true/false".


On Wed, Feb 7, 2018 at 12:26 PM, Cloherty, Sean E <scloherty at mitre.org<mailto:scloherty at mitre.org>> wrote:
I’ve got a question about something that has made me wonder for a while –

Does midstream: false  “#don’t allow midstream session pickups”  mean that it is not being allowed or is it that  “don’t allow midstream” is not allowing midstream pickup if the value is true?

I am assuming that the true or false indicates that the function is enabled or disabled.  However, reading the setting value and the remark following … the double negative “false and “don’t allow” leaves me wondering.

I have the same question for async-oneside: false.

midstream: false              # don't allow midstream session pickups
async-oneside: false          # don't enable async stream handling

Sean Cloherty
InfoSec Engineer/Scientist, Lead
MITRE Corporation
office (781) 271-3707<tel:(781)%20271-3707>
cell      (781) 697-8043<tel:(781)%20697-8043>

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180207/5b66feac/attachment-0002.html>

More information about the Oisf-users mailing list