The flow id got changed even though I keep send the same packet

cifer · April 27, 2022, 4:04am

Hi there,

I found that the flow_id in the alert log may change after a while even though I keep sending the same packets (which means the packets are with the same src_port, src_addr, dst_port, dst_addr, proto).

I know that there’s a flow-timeouts configuration but I don’t think it’s the cause since I kept sending the packet without brreak.

So I think there may be some logic inside suricata that causes this behavior?

(note the id field in the screenshot is the flow_id field in eve log)

ish · April 27, 2022, 4:12am

Time is considered as part of the flow ID. Even though you are using the same 5 tuple, are you sure they are still part of the same TCP session?

You can check out the community id option (disabled by default) which doesn’t consider time which may provide the consistent ID you are after.

cifer · April 27, 2022, 4:24am

Thanks Jason.

Actually we found this same behavior for UDP packets stream as well, which I think there’s no session concept…

but let us enable the community id first and see what can we find…

Topic		Replies	Views
Inaccurate flow information about a conversation Help	3	313	August 30, 2021
Alert packet doesn't match signature (stream vs no stream) Rules rules	1	383	January 28, 2022
Tx_id in http flow Help	4	472	December 1, 2022
Help understanding UDP flows and alerting Rules rules , suricata	6	1279	June 30, 2022
Is vlan id tagging available as an outflow? Help	1	691	January 7, 2021

The flow id got changed even though I keep send the same packet

Related Topics