I have written a rule to match http accept, it works fine in local test, but it fails in production environment, after my investigation, it is because the production environment has set use-for-tracking to true, change it to false and it will match.
Can anyone tell me what this use-for-tracking does? Does it affect me if I change it to false?
Hi!
Are you using VLAN? One of the scenarios this might happen is when both sides have different VLAN tag. These tags are used to determine the unique flow IDs in Suricata.
Tip: Most of the options in suricata.yaml
are documented there itself.
# This option controls the use of VLAN ids in the flow (and defrag)
# hashing. Normally this should be enabled, but in some (broken)
# setups where both sides of a flow are not tagged with the same VLAN
# tag, we can ignore the VLAN id's in the flow hashing.
vlan:
use-for-tracking: true