[Oisf-devel] Suricata multiplying alerts with NFQUEUE

Duarte Silva duarte.silva at serializing.me
Thu Apr 9 15:14:25 UTC 2015

Hi guys,

I'm seeing multiple alerts for the same event in the log files when using 
NFQUEUE. I have the following in the server to be protected:

(No other filtering rules)
# iptables -t filter -A INPUT -j NFQUEUE --queue-balance 0:1 --queue-bypass
# iptables -t filter -A OUTPUT -j NFQUEUE --queue-balance 0:1 --queue-bypass

(File to return to client)
# cat index.html

uid=0(root) gid=0(root) groups=0(root)

(Listen for connections)
#ncat -l 80 < index.html

Then in the client I do:

$ curl http://xxx.xxx.xxx.xxx
uid=0(root) gid=0(root) groups=0(root)

This should trigger two alerts due to the following rules (ET free rule set):

- ET ATTACK_RESPONSE Output of id command from HTTP server
- GPL ATTACK_RESPONSE id check returned root

But I'm receiving 4 alerts for each rule. When running Suricata against the 
packet dump I only get 2 alerts as expected (traffic captured is 10 packets in 

Kernel is 3.10.23 and I tested with Suricata latest from git, 2.1Beta3 and 
2.0.7 (same behavior in all).

Am I doing something wrong?


More information about the Oisf-devel mailing list