We used a rule(sid:2000369) to detect the following packets.
Detection rule
Detection result
When detection was successful, the Stream option is as follows.
- inline: yes
- raw: yes
However, we could not detect raw or inline options if they were changed to ‘no’.
- inline: no
- raw: no
Options that failed to detect.
We wonder why detection is impossible when the options are changed.
Attached is the PCAP and rule we used.
sid_2000369.rules (334 Bytes)
4271.pcap (838 Bytes)