Project

General

Profile

Actions
Copy link

Documentation #5910

open
JF OD

devguide: explain possible differences in data inspection with inline stream or not

Documentation #5910: devguide: explain possible differences in data inspection with inline stream or not

Added by Juliana Fajardini Reichow about 3 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
9.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

The inline stream engine controls when and how data is inspected. In some cases, this may result in an asymmetry when traffic is inspected in inline mode or not (e.g. it would be possible to see [one] extra alert in inline mode when compared to non-inline mode).

When: ACKed or non-ACKed data.
How: by [ACKed] chunks?

This seems important to be documented, as in some cases - say, when running similar tests in IDS vs IPS mode, there could be a mismatch in the number of alerts generated, due to that.

Related issues 2 (0 open2 closed)

Related to Suricata - Documentation #5513: userguide: add a chapter for IPS modeClosedVictor JulienActions
Related to Suricata - Documentation #4351: doc: explain the engine logic to trigger inspection of TCP dataClosedShivani BhardwajActions

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #1

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1

VJ Updated by Victor Julien 10 months ago Actions
Copy link
 #2

  • Target version changed from 8.0.0-rc1 to 8.0.0

JF Updated by Juliana Fajardini Reichow 10 months ago Actions
Copy link
 #3

JF Updated by Juliana Fajardini Reichow 10 months ago Actions
Copy link
 #4

  • Related to Documentation #4351: doc: explain the engine logic to trigger inspection of TCP data added

VJ Updated by Victor Julien 10 months ago Actions
Copy link
 #5

  • Target version changed from 8.0.0 to 9.0.0-beta1
Actions
Copy link

Also available in: PDF Atom