Suricata

The attached pcap contains a total of 30 packets. I get 30 alerts which includes the packets that are part of the tcp TWH. Also it should be noted that snort begins it's normalized buffer for http_cookie with "Cookie: " and not the parsed value.

Regards,

Will

================
TIME: 03/08/10-03:19:54.179765
ALERT CNT: 1
ALERT MSG [00]: http_cookie 1
ALERT GID [00]: 1
ALERT SID [00]: 68
ALERT REV [00]: 1
ALERT CLASS [00]: Potentially Bad Traffic
ALERT PRIO [00]: 3
SRC IP: 192.168.100.17
DST IP: 96.43.130.5
PROTO: 6
SRC PORT: 38111
DST PORT: 80
FLOW: to_server: TRUE, to_client FALSE
PACKET LEN: 74
PACKET:
0000 00 12 17 26 CD 4B 00 1F 3C 6C C7 2D 08 00 45 00 ...&.K.. <l.-..E.
0010 00 3C 14 9F 40 00 40 06 1F 33 C0 A8 64 11 60 2B .<.... .3..d.`
0020 82 05 94 DF 00 50 9B EB C4 22 00 00 00 00 A0 02 .....P.. ."......
0030 16 D0 63 94 00 00 02 04 05 B4 04 02 08 0A 00 B6 ..c..... ........
0040 D0 BD 00 00 00 00 01 03 03 07 ........ ..
================
TIME: 03/08/10-03:19:54.242206
ALERT CNT: 1
ALERT MSG [00]: http_cookie 1
ALERT GID [00]: 1
ALERT SID [00]: 68
ALERT REV [00]: 1
ALERT CLASS [00]: Potentially Bad Traffic
ALERT PRIO [00]: 3
SRC IP: 192.168.100.17
DST IP: 96.43.130.5
PROTO: 6
SRC PORT: 38111
DST PORT: 80
FLOW: to_server: TRUE, to_client FALSE
PACKET LEN: 66
PACKET:
0000 00 12 17 26 CD 4B 00 1F 3C 6C C7 2D 08 00 45 00 ...&.K.. <l.-..E.
0010 00 34 14 A0 40 00 40 06 1F 3A C0 A8 64 11 60 2B .4.... .:..d.`
0020 82 05 94 DF 00 50 9B EB C4 23 F8 48 C9 E3 80 10 .....P.. .#.H....
0030 00 2E CC 80 00 00 01 01 08 0A 00 B6 D0 C3 43 C6 ........ ......C.
0040 D6 78 .x
+================
TIME: 03/08/10-03:19:54.242506

alert tcp any any -> any any (msg:"http_cookie 1 "; content:"e6504ae48c99f09df7f58996aacbb6b0=120e494ce857d6ceeef89f9678d4d703"; http_cookie; classtype:bad-unknown; sid:68; rev:1;)