We run Suricata 8.0.2-profiling in docker (jasonish/suricata:8.0.2-profiling)
And we encounter issue with attached pcap
mtls.pcap (6.1 KB)
This is mTLS traffic of Sliver utility
It produce only “flow” event
"event_type": "flow",
...
"proto": "TCP",
"app_proto": "failed",
"app_proto_tc": "tls"
...
and in stats.log we have this entries
decoder.event.ipv4.iplen_smaller_than_hlen
flow.wrk.flows_evicted_needs_work
I think it is triggered because in packet 4 we have reported length of 0
I assume that Suricata encounter this bad packet and evict flow as “broken”
Is this expected behavior or not?