Suricata rule fires on TCP-SYN even if flow:established is set

Hey Suricata folks,

we think we have found some strange behaviour of Suricata firing an alert event for only three TCP-SYN packets, but the rule has flow:established set.
We don’t know whether we misunderstand the flow:established keyword or whether this could even be a bug in Suricata.

Our setup:
Suricata 7.0.7 from Debian 12 Backports
Debian 12.8 / Kernel 6.1.119-1

We can reduce the problem to a sample PCAP that just contains 3x TCP-SYN packets to destination port 2404 from source 192.0.2.1 to destination 198.51.100.1 (both demo IPs).

We have these two rules with the variables set accordingly in suricata.yaml as follows:

  • IEC104_DEVICES: "[198.51.100.0/24]" and part of HOME_NET
  • IEC104_SERVERS: "[192.0.2.1]" and not part of HOME_NET
alert tcp !$IEC104_DEVICES any -> $IEC104_DEVICES 2404 (msg:"Unauthorized IEC104 access to IEC104_DEVICES from foreign device"; flow:established; classtype:policy-violation; sid:1; rev:1;)

alert tcp !$IEC104_SERVERS any -> $HOME_NET 2404 (msg:"Unauthorized IEC104 interrogation command to IEC104_SERVERS"; flow:established; content:"|68|"; startswith; fast_pattern; content:"|64|"; within:1; distance:5; classtype:successful-recon-limited; sid:2; rev:1;)

First question: If we replay the PCAP, the first rule (sid:1) will fire, though we explicitly set flow:established! According to the docs (Link), it should only fire on connections with TCP three way handshake completed, which isn’t, as there isn’t even any answer from 198.51.100.1. What are we doing wrong here?

Second question: If we disable the second rule (sid:2), the first rule (sid:1) will not fire any more! Why are these two rules influencing theirselves?

We can reproduce the described behaviour with the files attached to this post. Go to the folder “demo”, build a new Docker container image with the script “build.sh” and run Suricata with the given config in the container with the script “run.sh”. Alternatively you can use just the configs and the PCAP if you don’t trust the scripts.

Thanks for your help!
Regards
Andreas

demo.tgz (54.8 KB)