[Oisf-devel] Suricata multiplying alerts with NFQUEUE
Duarte Silva
duarte.silva at serializing.me
Thu Apr 9 15:14:25 UTC 2015
Hi guys,
I'm seeing multiple alerts for the same event in the log files when using
NFQUEUE. I have the following in the server to be protected:
(No other filtering rules)
# iptables -t filter -A INPUT -j NFQUEUE --queue-balance 0:1 --queue-bypass
# iptables -t filter -A OUTPUT -j NFQUEUE --queue-balance 0:1 --queue-bypass
(File to return to client)
# cat index.html
HTTP/1.1 OK
uid=0(root) gid=0(root) groups=0(root)
(Listen for connections)
#ncat -l 0.0.0.0 80 < index.html
Then in the client I do:
$ curl http://xxx.xxx.xxx.xxx
uid=0(root) gid=0(root) groups=0(root)
This should trigger two alerts due to the following rules (ET free rule set):
- ET ATTACK_RESPONSE Output of id command from HTTP server
- GPL ATTACK_RESPONSE id check returned root
But I'm receiving 4 alerts for each rule. When running Suricata against the
packet dump I only get 2 alerts as expected (traffic captured is 10 packets in
length).
Kernel is 3.10.23 and I tested with Suricata latest from git, 2.1Beta3 and
2.0.7 (same behavior in all).
Am I doing something wrong?
Cheers,
Duarte
More information about the Oisf-devel
mailing list