Bug #7724: detect: wrong detect behavior for stream keywords no_stream and only_stream - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #7724

open

detect: wrong detect behavior for stream keywords no_stream and only_stream

Added by Lukas Sismis 11 days ago. Updated 4 days ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

9.0.0-beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

When running through a basic pcap (attached) and using basic rules, I do not get the expected outcome.

Test A:
For a ruleset containing:

alert tcp any any -> any any (msg: "tcp toserver no_stream"; flow:to_server, no_stream; sid:1;)
alert tcp any any -> any any (msg: "tcp toserver stream"; flow:to_server, only_stream; sid:2;)
alert tcp any any -> any any (msg: "tcp toclient no_stream"; flow:to_client, no_stream; sid:3;)
alert tcp any any -> any any (msg: "tcp toclient stream"; flow:to_client, only_stream; sid:4;)

I get 80 alerts, where no_stream and only_stream keywords seem not honored and the alerts are doubled. I would expect 40 alerts.

Test B:
With the ruleset:

alert tcp any any -> any any (msg: "tcp toserver no_stream"; flow: no_stream; sid:1;)
alert tcp any any -> any any (msg: "tcp toserver stream"; flow:only_stream; sid:2;)

I get only 4 alerts, where again I would expect 40 alerts.

Possibly needed to be evaluated for Suri 7 if considered as a bug.

Files

HTTP.cap (24.9 KB) HTTP.cap

Lukas Sismis, 05/29/2025 02:32 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #7724

detect: wrong detect behavior for stream keywords no_stream and only_stream

Updated by Lukas Sismis 11 days ago

Updated by Lukas Sismis 11 days ago

Updated by Victor Julien 10 days ago

Updated by Victor Julien 4 days ago