How to ignore FIN,ACK flag

thinhle · December 23, 2021, 7:23am

Hello all,

We want to add a connection into exception rules. We did it but sometime the alerts still pop up. It is very annoying. Let me explain something. The connection looks like as follow:
step 1:A —(TCP handshake)–> B
step 2 :A—> (TLSv1,2 handshake)–B
After having completely TLSv1.2, sometime the issue happens :
B ------ (FIN,ACK) ----- A. (i am sure about that A had never been sent any flag relating to “FINISH”). This Flag make suricata raise an alert “SURICATA Applayer wrong direction first data”.

How can we ignore this kind of TCP flag? Or anyone have another solution?

Thanks

Andreas_Herz · December 27, 2021, 8:34pm

How did you setup Suricata?
Keep in mind those applayer alerts are quite noisy in production environments. Maybe just disable or suppress it unless you want to ensure to have just clean traffic.

Topic		Replies	Views
Suricata pass rule not working Rules	16	3601	April 28, 2022
Help to disable http protocol in suricata 7.0.2 Help	1	143	November 16, 2023
Strange behavior with pass and drop rule Help	14	1132	July 9, 2021
Suricata ignore Rule by IP	3	2454	July 26, 2021
Rule using http does not matching get request Rules	2	1014	January 18, 2022

How to ignore FIN,ACK flag

Related Topics