Documentation #5910: devguide: explain possible differences in data inspection with inline stream or not - Suricata - Open Information Security Foundation

Actions

Copy link

Documentation #5910

open

devguide: explain possible differences in data inspection with inline stream or not

Added by Juliana Fajardini Reichow about 1 year ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

8.0.0-beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

The inline stream engine controls when and how data is inspected. In some cases, this may result in an asymmetry when traffic is inspected in inline mode or not (e.g. it would be possible to see [one] extra alert in inline mode when compared to non-inline mode).

When: ACKed or non-ACKed data.
How: by [ACKed] chunks?

This seems important to be documented, as in some cases - say, when running similar tests in IDS vs IPS mode, there could be a mismatch in the number of alerts generated, due to that.

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Documentation #5910

devguide: explain possible differences in data inspection with inline stream or not