Stream engine has a parameter reassembly depth and as per the document Suricata will stop tracking or inspecting/detecting once depth is reached. What exactly does that mean? Does that mean packets are simply ignored by Suricata? Does that mean packets are received by receive/decode thread and send it to output module without any detection/logging etc.
In IPS mode, suricata uses sliding window and feed data to inspection engine based that window, does that mean it hold on those many packets till they are inspected or it just copy the packet data to local buffer and egress out packets immediately? Does Suricata hold on packets any time? The reason I am asking this bcus once stream depth is reached, and Suricata had already hold on few packets(sliding window size) and if packets after depth are send immediately won’t that result in out of order?
Can someone please help me to understand whether suricata at any point hold pockets or it make a local copy and parse/inspect it? If i am not wrong in inline mode as it uses sliding window it doesn’t make sense to hold the packets. Please help.
In IPS mode packets will be forwarded regardless of being in order or out of order. Segment data is held until it is ack’d to:
- check for retransmits with overlapping different data,
- inspect packets in the sliding window
- handle out of order data
- make sure stream data is available for inspection in combination with app-layer keywords (e.g. http.uri).
Thanks Victor, really appreciate your response. So when you say segment data you mean packet tcp payload in suricata stream reassembly memory. Is that correct?