--- /dev/null
+PCAP
+====
+
+Pcap by Victor Julien
+
--- /dev/null
+%YAML 1.1
+---
+
+stats:
+ enabled: yes
+ interval: 8
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stream:
+ all: true
+ - alert:
+ tagged-packets: yes
+ - anomaly:
+ enabled: yes
+ types:
+ decode: yes
+ stream: yes
+ applayer: yes
+ #packethdr: no
+ - tls:
+ extended: yes # enable this for extended logging information
+ - flow
--- /dev/null
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN/ACK ignored TFO data"; stream-event:3whs_synack_tfo_data_ignored; classtype:protocol-command-decode; sid:2210064; rev:1;)
--- /dev/null
+requires:
+ files:
+ - src/output-eve-stream.c
+
+args:
+- --simulate-ips
+#- --set stream.midstream=true
+#- --set stream.midstream-policy=ignore
+- --runmode=single
+#- --set stats.stream-events=true
+- --set flow-timeouts.tcp.new=60
+- --set flow-timeouts.tcp.established=600
+# Long timeout to avoid midstream pickup at the end.
+- --set flow-timeouts.tcp.closed=60
+
+
+checks:
+ - filter:
+ count: 2
+ match:
+ event_type: flow
+ - filter:
+ count: 1
+ match:
+ event_type: stream_tcp
+ pcap_cnt: 1
+ direction: "to_server"
+ stream_tcp.session.state: "syn_sent"
+ stream_tcp.packet.len: 585
+ - filter:
+ count: 1
+ match:
+ event_type: stream_tcp
+ pcap_cnt: 2
+ direction: "to_client"
+ stream_tcp.session.state: "syn_recv"
+ stream_tcp.events[0]: "stream.3whs_synack_tfo_data_ignored"
+ - filter:
+ count: 1
+ match:
+ event_type: stream_tcp
+ pcap_cnt: 3
+ direction: "to_server"
+ stream_tcp.session.state: "syn_sent"
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+ tls.sni: "icloud.com"
+ tls.version: "UNDETERMINED"
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+ tls.sni: "icloud.com"
+ tls.version: "TLS 1.3"
--- /dev/null
+PCAP
+====
+
+Pcap by Victor Julien
+
--- /dev/null
+%YAML 1.1
+---
+
+stats:
+ enabled: yes
+ interval: 8
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stream:
+ all: true
+ - alert:
+ tagged-packets: yes
+ - anomaly:
+ enabled: yes
+ types:
+ decode: yes
+ stream: yes
+ applayer: yes
+ #packethdr: no
+ - tls:
+ extended: yes # enable this for extended logging information
+ - flow
--- /dev/null
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN/ACK ignored TFO data"; stream-event:3whs_synack_tfo_data_ignored; classtype:protocol-command-decode; sid:2210064; rev:1;)
--- /dev/null
+requires:
+ files:
+ - src/output-eve-stream.c
+
+args:
+- --simulate-ips
+- --runmode=single
+- --set flow-timeouts.tcp.new=60
+- --set flow-timeouts.tcp.established=600
+- --set flow-timeouts.tcp.closed=60
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ - filter:
+ count: 1
+ match:
+ event_type: stream_tcp
+ pcap_cnt: 1
+ direction: "to_server"
+ stream_tcp.session.state: "syn_sent"
+ stream_tcp.packet.len: 585
+ - filter:
+ count: 1
+ match:
+ event_type: stream_tcp
+ pcap_cnt: 2
+ direction: "to_client"
+ stream_tcp.session.state: "syn_recv"
+ stream_tcp.events[0]: "stream.3whs_synack_tfo_data_ignored"
+ - filter:
+ count: 1
+ match:
+ event_type: stream_tcp
+ pcap_cnt: 3
+ direction: "to_server"
+ stream_tcp.session.state: "established"
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+ tls.sni: "icloud.com"
+ tls.version: "TLS 1.3"
projects / thirdparty / suricata-verify.git / commitdiff
