How to ignore FIN,ACK flag

Hello all,

We want to add a connection into exception rules. We did it but sometime the alerts still pop up. It is very annoying. Let me explain something. The connection looks like as follow:
step 1:A —(TCP handshake)–> B
step 2 :A—> (TLSv1,2 handshake)–B
After having completely TLSv1.2, sometime the issue happens :
B ------ (FIN,ACK) ----- A. (i am sure about that A had never been sent any flag relating to “FINISH”). This Flag make suricata raise an alert “SURICATA Applayer wrong direction first data”.

How can we ignore this kind of TCP flag? Or anyone have another solution?


How did you setup Suricata?
Keep in mind those applayer alerts are quite noisy in production environments. Maybe just disable or suppress it unless you want to ensure to have just clean traffic.