Question about flows logging

Latest version of Suricata
Ubuntu 18.04
Installed from packages

Hi,

I have the following doubt about the flow logging type of Suricata. In the configuration, it shows that “flow” is logging “bidirecional flows”.

So, i tested a ping from an inside machine to an external IP which came with no response “Request timeout” and i noticed that Suricata logs this flow. If it only logs bi-directional flows and i got no response from the server that received my ping, should this event be logged?

Thanks

Hi there,

in very broad terms, the unidirectional or bidirectional configuration is related to whether Suricata will consider a message from A → B being part of the same flow as a message from B → A. With the bidirectional flow setup, a flow will be A<>B.

So, the fact that the engine only saw one packet, as you’ve described, wouldn’t impact it logging the flow event or not.

An overview of what a flow usually is to Suricata is available at 12.1. Suricata.yaml — Suricata 8.0.0-dev documentation.

Hope that helps clarify this ^ ^

Thanks @jufajardini for the clarification