I have a problem with suricata application detection, if there is one duplicate TCP/SYN in each flow (due to the network traffic span architecture reasons). Seems to be, suricata can’t legitimate this TCP flow, therefore, can’t decode application. Is there any workarounds? How can I achieve this?
I can reproduce that, I also see no http event with the pcap but once I ensure the duplicate syn is missing using tshark with tshark -r syn.pcap -Y "tcp.stream eq 1" -w syn3.pcap -F pcap and run this I can see the http events.
This would need a deeper dive. Would you mind open a bug request on our redmine?
Besides that having such traffic is always an issue so trying to get rid of that duplicates would be best.
Is the pcap okay to share, so we could use it for a suricata-verify test as well?