Bug #4220
closeddetect: signature not hit with --simulate-ips option
Description
Hi,
I have a pcap trace which can hit my signature with the configurations in the attachment in IDS mode.
But the same trace failed to hit the same signature with the same configuration in IPS mode.
Is it by design or a bug?
How to reproduce:
1. uncompress the tar.gz to /home/inline-test, make sure all files are under /home/inline-test
2. cd /home/inline-test
3. ntd-ids -c ./suricata.yaml -r ./1flowB.pcap, and we can see eve logs.
4. ntd-ids -c ./suricata.yaml -r ./1flowB.pcap --simulate-ips, and we can't see any eve logs.
Files
Updated by Victor Julien about 5 years ago
- Status changed from New to Assigned
- Assignee changed from Community Ticket to Victor Julien
- Target version set to 7.0.0-beta1
Updated by Victor Julien over 3 years ago
- Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Updated by Victor Julien about 1 year ago
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Updated by Shivani Bhardwaj 11 months ago
- Subject changed from failed to hit a signature with option --simulate-ips to detect: signature not hit with --simulate-ips option
- Priority changed from High to Normal
Updated by Victor Julien 9 months ago
- Target version changed from 8.0.0-rc1 to 9.0.0-beta1
Updated by Victor Julien about 2 months ago
- Status changed from Assigned to Closed
- Assignee deleted (
Victor Julien) - Priority changed from High to Normal
- Target version deleted (
9.0.0-beta1)
I've finally been able to have a look. The problem is that the pcap is showing a broken TCP stream with an improper 3-way handshake. In IDS mode Suricata is more forgiving of this type of issue, but the IPS mode is quite strict.
As I don't think there is anything to fix here, I'm closing the ticket.
Updated by Victor Julien about 2 months ago
For reference, I added a test for both IDS and IPS modes in https://github.com/OISF/suricata-verify/pull/2879