Suricata

Hello!

Ask a few questions about dsize and stream_szie.

First of all, tso offload of all computers is off.

alert tcp any any -> any 80 (msg:"dsize"; flow:to_server,established,no_stream; dsize:0<>1000; sid:1; rev:1;)

I applied the rule as above and the length of the transmitting TCP segment is 1460 except the first and the last packets. So only the first and last two packets match normally.

I changed the rule to match the payload size from 1 to 999 with sequences less than 5000.

alert tcp any any -> any 80 (msg:"dsize"; flow:to_server,established,no_stream; dsize:0<>1000; stream_size:server,<,5000; sid:1; rev:1;)

However, after changing the rules like this, an unknown payload size match occurs.

The payload size is 1460 when viewed on all links except the first and last. However, unknown payload sizes such as 470 or 608 are matched.

Am I misunderstanding stream_size?

I will wait for an answer

Thank you