We want to add a connection into exception rules. We did it but sometime the alerts still pop up. It is very annoying. Let me explain something. The connection looks like as follow:
step 1:A —(TCP handshake)–> B
step 2 :A—> (TLSv1,2 handshake)–B
After having completely TLSv1.2, sometime the issue happens :
B ------ (FIN,ACK) ----- A. (i am sure about that A had never been sent any flag relating to “FINISH”). This Flag make suricata raise an alert “SURICATA Applayer wrong direction first data”.
How can we ignore this kind of TCP flag? Or anyone have another solution?