Bug #7724: detect: wrong detect behavior for stream keywords no_stream and only_stream - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #7724

open

detect: wrong detect behavior for stream keywords no_stream and only_stream

Added by Lukas Sismis about 20 hours ago. Updated 1 minute ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

8.0.0-rc1

Affected Versions:

Effort:

Difficulty:

Label:

Description

When running through a basic pcap (attached) and using basic rules, I do not get the expected outcome.

Test A:
For a ruleset containing:

alert tcp any any -> any any (msg: "tcp toserver no_stream"; flow:to_server, no_stream; sid:1;)
alert tcp any any -> any any (msg: "tcp toserver stream"; flow:to_server, only_stream; sid:2;)
alert tcp any any -> any any (msg: "tcp toclient no_stream"; flow:to_client, no_stream; sid:3;)
alert tcp any any -> any any (msg: "tcp toclient stream"; flow:to_client, only_stream; sid:4;)

I get 80 alerts, where no_stream and only_stream keywords seem not honored and the alerts are doubled. I would expect 40 alerts.

Test B:
With the ruleset:

alert tcp any any -> any any (msg: "tcp toserver no_stream"; flow: no_stream; sid:1;)
alert tcp any any -> any any (msg: "tcp toserver stream"; flow:only_stream; sid:2;)

I get only 4 alerts, where again I would expect 40 alerts.

Possibly needed to be evaluated for Suri 7 if considered as a bug.

Files

HTTP.cap (24.9 KB) HTTP.cap

Lukas Sismis, 05/29/2025 02:32 PM

Actions

Copy link

Updated by Lukas Sismis about 20 hours ago

Note - it was specifically tried on my branch https://github.com/OISF/suricata/pull/13333
But the last commit hash on master branch is: 404bb53ce96564cbf964bb1e513a6107b7f744dc

Actions

Copy link