To detect specific packets in a pcap file, we tested with five rules related to flowbit.
- sid : 2022053, 2022049, 2022264, 2022265, 2022266
In test, we expected to alert packet number 6225 by rule of sid 2022053.
However, Suricata alerted of other packet in fast log.
Alerted packet in the fast log is packet without payload (packet number : 246587).
We also found this situation in some flowbit rules.
We need help why Suricata alerted in other packet.
Also, we wants to change the alert time(time of packet number 246587) to time of payload matched packet(time of packet number 6225).
We can provide the tested pcap file, but we will send it to you by e-mail if you want because the file size is too big.