Alert packet doesn't match signature (stream vs no stream)

I recently notice that the packet provided in the EVE log doesn’t match the signature that was triggered. I assumed it had to do with the stream assembly somehow so I set the signature to flow:no_stream,established,to_server. That corrected the issue and the packet matches what I was looking for. But, I’m not sure why. I understand why no_stream works since it’s based on a per packet basis and not the entire stream but I don’t know why flow:established,to_server; doesn’t work.

Tested on versions 5.0.8 and 6.0.4

I think this Bug #3480: EVE JSON - Incorrect Packet Logged - Suricata - Open Information Security Foundation answers the question.

1 Like