Application detection and duplicate TCP/SYN

Hi, Team!

I have a problem with suricata application detection, if there is one duplicate TCP/SYN in each flow (due to the network traffic span architecture reasons). Seems to be, suricata can’t legitimate this TCP flow, therefore, can’t decode application. Is there any workarounds? How can I achieve this?


Do you have an example pcap for that?
Which version are you running and how does your config look like?

Suricata version is 6.0.5
PCAP and settings files:
files.tgz (45.2 KB)

the flow.pcap is the config file as well

Oops, sorry… Correct files attached in new archive.
suricata.tgz (27.6 KB)

I can reproduce that, I also see no http event with the pcap but once I ensure the duplicate syn is missing using tshark with tshark -r syn.pcap -Y " eq 1" -w syn3.pcap -F pcap and run this I can see the http events.

This would need a deeper dive. Would you mind open a bug request on our redmine?

Besides that having such traffic is always an issue so trying to get rid of that duplicates would be best.

Is the pcap okay to share, so we could use it for a suricata-verify test as well?

Ok, thanks!

Yes, sure.