I am trying to understand what exactly the “only_stream” option of the flow keywords exactly does. From the documentation of the flow keyword:
Match on packets that have been reassembled by the stream engine.
To me this sounds like this should match when the TCP frames of the trace need to be reassembled. After looking into the source code (following the flags for only_stream and looking more closely into stream-tcp-reassemble.c) I believe this even more since the match counter should get increased if the option is set and the StreamPayload returns that some reassembly was done in the tcp-reassembly class.
However: when I use the following rule to match any reassembled frames, no alerts are ever returned.
alert ip any any -> any any (flow:only_stream; sid:1;)
The traces I used should require some reassembly at least (out of order TCP frames, ack-ing unseen segments, etc.), however the rule above returns no matches (and when I use no_stream instead every frame matches). Is there anything I’m missing why this rule never matches? Or can someone please point me to an example where this does indeed return any alerts at all?
Suricata.yaml stream engine settings I am using, in case I need to align something here (please note: my traces are rather small, < 1MB, but I would assume TCP reassembly should also happen in those cases?):
stream: memcap: 64mb checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically reassembly: memcap: 256mb depth: 1mb # reassemble 1mb into a stream toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: yes #randomize-chunk-range: 10 #raw: yes #segment-prealloc: 2048 #check-overlap-different-data: true