Suricata

Hi,

I wrote a rule to match on a specific file that I send with a tcp socket using a python script.
This rule call a lua script that write the flow data in a file.
The file size is like 500ko.

What I expected is that the rule trigger only one time on the whole tcp sessions, but it didn't.
The rule triggered many times, and each file created by the lua script is only a part of the real file.
Another strange thing is that the files does not have the same size.

Do anyone have an idea of why it is doing that ?
Thank you !

The data send is "Hello"*100000.

This is the rule :

alert ip any any -> any any (msg:"TEST"; content:"Hello"; sid:290666; luajit:test.lua;)

The lua script :

function init (args)
    local needs = {}
    needs["stream"] = tostring(true)
    return needs
end

local DIR_TEST = "/var/log/suricata/test/" 

function match (args)
    local ID = tostring(math.random(10^10, 10^(11) - 1))
    local name = SCFlowTimeString()..ID
    local data = args["stream"]

    local file = io.open(DIR_TEST..name, "w")
    file:write(data)
    file:close()

    return 1
end

return 0