Bug #7724
opendetect: wrong detect behavior for stream keywords no_stream and only_stream
Description
When running through a basic pcap (attached) and using basic rules, I do not get the expected outcome.
Test A:
For a ruleset containing:
alert tcp any any -> any any (msg: "tcp toserver no_stream"; flow:to_server, no_stream; sid:1;) alert tcp any any -> any any (msg: "tcp toserver stream"; flow:to_server, only_stream; sid:2;) alert tcp any any -> any any (msg: "tcp toclient no_stream"; flow:to_client, no_stream; sid:3;) alert tcp any any -> any any (msg: "tcp toclient stream"; flow:to_client, only_stream; sid:4;)
I get 80 alerts, where no_stream and only_stream keywords seem not honored and the alerts are doubled. I would expect 40 alerts.
Test B:
With the ruleset:
alert tcp any any -> any any (msg: "tcp toserver no_stream"; flow: no_stream; sid:1;) alert tcp any any -> any any (msg: "tcp toserver stream"; flow:only_stream; sid:2;)
I get only 4 alerts, where again I would expect 40 alerts.
Possibly needed to be evaluated for Suri 7 if considered as a bug.
Files
Updated by Lukas Sismis 2 months ago
Note - it was specifically tried on my branch https://github.com/OISF/suricata/pull/13333
But the last commit hash on master branch is: 404bb53ce96564cbf964bb1e513a6107b7f744dc
Updated by Victor Julien 2 months ago
Can you create some SV tests to show the issue?
Updated by Victor Julien about 2 months ago
- Target version changed from 8.0.0-rc1 to 9.0.0-beta1
Updated by Philippe Antoine 15 days ago
- Status changed from New to Feedback
- Label Needs Suricata-Verify test added
Updated by Philippe Antoine 14 days ago
I get only 4 alerts, where again I would expect 40 alerts.
4 means one time for each signature for each direction.
This looks the expected case for ip-only rules cc @Juliana Fajardini Reichow
What are you trying to do ? Is there a purpose of using no_stream without a content ?