Suricata: 6.0.20
OS: Linux
I am curious on differences between a data stream seen by both a firewall and suricata. Simple diagram:
Internal Net | ---- FW ---- | Internet
|
mirror (tap)
|
-----
VM (suricata)
How close would the bytes for the same stream be to each other if you logged both from the FW and Suricata? I haven’t got my lab fully up to test it so curious if anyone tested any differences.
I understand that different firewalls could cause the problem, where some kinds might be closer to other kinds. Maybe, even these will never be able to say X flow from Suricata is the same as Y flow from a Firewall due to the parsing/coding of how a firewall or suricata determines the flow start/end.