Conversation
| @@ -0,0 +1,22 @@ | |||
| requires: | |||
There was a problem hiding this comment.
actually this is an unrelated test
| checks: | ||
| - filter: | ||
| min-version: 8 | ||
| count: 24 |
There was a problem hiding this comment.
this I think makes sense, the sig is
drop ip any any -> any any (msg:"Drop all else"; flow:stateless; sid:3;)
If there are no "real" packets, why raise alerts?
| checks: | ||
| - filter: | ||
| min-version: 8 | ||
| count: 25 |
There was a problem hiding this comment.
The rule here is
alert http any any -> any any (sid: 1;)
Should it match on the stream end packets?
@catenacyber are there cases where only at the end of the stream, with the pseudo packets we detect the app protocol? I guess we could, if data stays un-ack'd, then stream terminates, FFR will force handling of un-ACK'd data, detect protocol.
There was a problem hiding this comment.
I also guess we could indeed...
There was a problem hiding this comment.
It matched in master on sid 2, in OISF/suricata#12169 it won't match.
Data is unacked, so is only processed by flow timeout packets. This is when alert will be generated.
|
I think this should get closed in favor of the other couple of Suricata + SV PR |
|
#2174 has just the sig packet type test updates |
3 participants
Various tests related to changes in handling of flow timeout packets.