Feature #1867: Snort compatibility: flow:not_established not supported. - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #1867

closed

Snort compatibility: flow:not_established not supported.

Added by Jason Ish over 7 years ago. Updated over 7 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jason Ish

Target version:

3.2rc1

Effort:

Difficulty:

Label:

Description

Suricata does not support the "not_established" argument to the "flow" keyword which is used in some Snort rules.

Actions

Copy link

Updated by Victor Julien over 7 years ago

Priority changed from Low to Normal
Target version changed from TBD to 70

While at it, add Snort's no_frags and only_frags as well. This is a trivial check: p->flags & PKT_IS_FRAGMENT.

Actions

Copy link

Updated by Jason Ish over 7 years ago

Victor Julien wrote:

While at it, add Snort's no_frags and only_frags as well. This is a trivial check: p->flags & PKT_IS_FRAGMENT.

I think its a little different than that. It looks like no_frag and only_frag refer to the rebuilt packets. If "no_frag", then do not trigger on reassembled packets. If only_frag, then only trigger on re-assembled packets.

Actions

Copy link

Updated by Victor Julien over 7 years ago

Status changed from Assigned to Closed
Target version changed from 70 to 3.2rc1

https://github.com/inliniac/suricata/pull/2358

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #1867

Snort compatibility: flow:not_established not supported.

Updated by Victor Julien over 7 years ago

Updated by Jason Ish over 7 years ago

Updated by Victor Julien over 7 years ago