Question about stream.inline

Hi there,

I am using Suricata in IDS mode only. When i set stream.inline: yes i get a big increase of alerts of the following rule:

alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src; reference:url,; classtype:attempted-admin; sid:2006546; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

What is the reason behind this behaviour? Should i leave stream.inline: yes or switch it to "“auto” or “no”?



We’re trying to better understand this situation. Would you be able to provide a pcap showcasing the traffic that is generating more alerts when stream.inline is “yes”?

Also, could you tell us which version of Suri you are running, just so we have a bigger picture?

Thanks in advance!

I am using the latest stable version of Suricata. I will try to get a PCAP but it will take some time.


Alright, and thanks!

So far, as a heads-up, this may be a case of lack of documentation. If you set stream.inline: no you don’t get the increase, right? What happens if you keep that as no but pass the command-line option --simulate-ips? Are the results similar to having it as stream.inline: yes?


The results appear not to be similar. With stream.inline: auto and --simulate-ips i do not have the increase. In IDS mode should i leave this to “no” or “auto”?


Thanks for your answer :slight_smile:

I would say that auto is a safer option, for now.