I have enabled FLOW and trying to track TCP flow.
I have also created alerts for TCP setup for flags like SYN,ACK, FIN
When the TCP session takes place , I see the alerts as expected for all events like SYN,ACK , FIN ( not RESET )
But under FLOW event_type I do not see “CLOSED” state. I only see ESTABLISHED followed by NEW states and at the end I see NEW STATE with reason “unknown”
I have been trying to use iperf to generate TCP flow , also tried using socket programming on LINUX machine.
Here is the timeout information from suricata.yaml
flow-timeouts:
default:
new: 30
established: 300
closed: 0
tcp:
new: 1
established: 3
closed: 2
Also I would like to know when the suricata decides to “close” the TCP flow, what is the logic behind it.
I see stream-tcp file compares timestamps for each state to check if FLOW is alive , however I am looking for the logic which decides the TCP flow is closed for that connection.