Hi, i have some new about the parser. It’s seem to work when i start suricata in pcap offline mode. But when i go in live mode Suricata can understeand only once ( i explain better this part ). If i start the comunication between a server and a client Suricata recognize the new protocol implemented on the specific port, when the server and client stop comunication and make a new one it’s seems that the parser is never re-called and so i feel that Suri it’s blind. It’s possible that i need to tell to Suricata how to enable again the parser ? Also i find that when Suricata end to recognize the end of the comunication between the client and the server, write this json in the eve.json:
{“timestamp”:“2021-03-18T18:06:26.150325+0100”,“flow_id”:2088039287448777,
“in_iface”:“netmap:suricata”,“event_type”:“flow”,“src_ip”:“192.168.1.102”,
“src_port”:55137,“dest_ip”:“192.168.1.50”,“dest_port”:6662,“proto”:“TCP”,
“app_proto”:“hl7”,“flow”:{“pkts_toserver”:40,“pkts_toclient”:21,
“bytes_toserver”:17423,“bytes_toclient”:3378,
“start”:“2021-03-18T18:04:01.025801+0100”,“end”:“2021-03-18T18:04:02.155417+0100”,
“age”:1,“state”:“closed”,“reason”:“unknown”,“alerted”:false},
“tcp”:{“tcp_flags”:“1b”,“tcp_flags_ts”:“1b”,“tcp_flags_tc”:“1b”,
“syn”:true,“fin”:true,“psh”:true,“ack”:true,“state”:“closed”}}