[Oisf-devel] Suricata multiplying alerts with NFQUEUE

Thu Apr 9 20:53:23 UTC 2015

On Thursday 09 April 2015 16:40:25 Duarte Silva wrote:
> On Thursday 09 April 2015 17:17:03 Victor Julien wrote:
> > On 04/09/2015 05:14 PM, Duarte Silva wrote:
> > > Hi guys,
> > > 
> > > I'm seeing multiple alerts for the same event in the log files when
> > > using
> > > NFQUEUE. I have the following in the server to be protected:
> > > 
> > > (No other filtering rules)
> > > # iptables -t filter -A INPUT -j NFQUEUE --queue-balance 0:1
> > > --queue-bypass
> > > # iptables -t filter -A OUTPUT -j NFQUEUE --queue-balance 0:1
> > > --queue-bypass
> > > 
> > > (File to return to client)
> > > # cat index.html
> > > HTTP/1.1 OK
> > > 
> > > uid=0(root) gid=0(root) groups=0(root)
> > > 
> > > (Listen for connections)
> > > #ncat -l 0.0.0.0 80 < index.html
> > > 
> > > Then in the client I do:
> > > 
> > > $ curl http://xxx.xxx.xxx.xxx
> > > uid=0(root) gid=0(root) groups=0(root)
> > > 
> > > This should trigger two alerts due to the following rules (ET free rule
> > > set):
> > > 
> > > - ET ATTACK_RESPONSE Output of id command from HTTP server
> > > - GPL ATTACK_RESPONSE id check returned root
> > > 
> > > But I'm receiving 4 alerts for each rule. When running Suricata against
> > > the
> > > packet dump I only get 2 alerts as expected (traffic captured is 10
> > > packets in length).
> > > 
> > > Kernel is 3.10.23 and I tested with Suricata latest from git, 2.1Beta3
> > > and
> > > 2.0.7 (same behavior in all).
> > > 
> > > Am I doing something wrong?
> > 
> > Wonder if you perhaps get alerts on retransmissions?
> > 
> > If you enable alert-debug log you should get info on where suri found
> > the alerts, could be packet vs stream as well?
> 
> Don't know how to answer your question :( This is what I get in alert-debug
> log.

I have also tried with the new NFTABLES and the problem is the same. I'm not 
seeing this behavior on rules that are triggered in client to server.