Can Suricata track TCP sessions

chaitus84 · August 27, 2024, 6:41am

Can Suricata track the TCP sessions between two hosts if it is deployed in a router ?

As per my understanding it is needed to enforce strict TCP handshake and other mitigate other TCP related attacks.

Thanks.

Jeff_Lucovsky · August 29, 2024, 12:20pm

Are you asking if Suricata keeps track of TCP sessions when it observes traffic between host1 and host2?

If that’s the question, the answer is yes (provided Suricata observes the bidirectional traffic).

chaitus84 · August 30, 2024, 2:32pm

Thanks Jeff for the response.

I was asking about the scenario in which a networking device, specifically a router running Suricata, is positioned between host1 and host2.

If Suricata maintains the state of a TCP session, can it mitigate all TCP session attacks, such as TCP RST attacks and strict TCP handshake issues?

Are there any predefined rules available to mitigate these attacks?

Thanks in advance.

Jeff_Lucovsky · August 30, 2024, 2:35pm

It sounds like you’re asking whether

Suricata works on an inline device at layer 3. Suricata would function as an IPS for an inline device (IDS if not inline with the packet flow).
Proofpoint publishes 50,000+ rules for Suricata and they’ve likely covered the scenarios that you’re concerned with. Proofpoint has free (ET/Open) and paid (ET/Pro) rulesets available.

chaitus84 · August 30, 2024, 2:45pm

Thank you for your prompt response, Jeff. I greatly appreciate it.

Topic		Replies	Views
Signature for dropping TCP RST attack Rules	4	86	August 20, 2024
Suricata in IPS mode dropping tcp traffic Help ips	16	2253	April 24, 2024
Unexpected TCP session tracking Help suricata	18	129	September 2, 2024
Architecture help Help ips , community , centos	2	1245	November 29, 2020
Suricata running on a test host detected few alerts while there was no traffic on listening port Help	1	1910	January 7, 2022