Support #1986
closedSuricata works not well that Port-monitor only in incoming traffic
Description
I have a test like this:
My env:
WebServer:192.168.1.2
IDSServer:192.168.1.10
suricata.yaml with default setting.If WebServer Port-monitor to IDS with iptables:
iptables -A INPUT -i eth0 -p tcp -m tcp -j TEE --gateway 192.168.1.10
iptables -A OUTPUT -o eth0 -p tcp -m tcp -j TEE --gateway 192.168.1.10And I send the test request
http://192.168.1.2/t.php?id=1 union select id from adminThe suricata work well, The fast.log file loged the alert info;
But, I want only Port-monitor 'incoming traffic' to IDS, like:
iptables -A INPUT -i eth0 -p tcp -m tcp -j TEE --gateway 192.168.1.10Because of I didn`t care the response of the webserver, And the response traffic will occupied a large of bandwidth,
And now I send the test request
http://192.168.1.2/t.php?id=1 union select id from adminThe fast.log file is empty.
It`s a Bug or not?
Thanks
Updated by Victor Julien over 7 years ago
- Assignee deleted (
Victor Julien)
If I understand the setup correctly, then only one side of flows is sent to Suricata. This will certainly degrade Suricata's functionality. Setting '--set stream.async-oneside=true' should improve results somewhat.
We recommend making sure that both sides of the traffic are seen by Suricata.
Updated by wo wo over 7 years ago
Victor Julien wrote:
If I understand the setup correctly, then only one side of flows is sent to Suricata. This will certainly degrade Suricata's functionality. Setting '--set stream.async-oneside=true' should improve results somewhat.
We recommend making sure that both sides of the traffic are seen by Suricata.
thanks.