[Oisf-devel] Suricata multiplying alerts with NFQUEUE
Victor Julien
victor at inliniac.net
Thu Apr 9 15:17:03 UTC 2015
On 04/09/2015 05:14 PM, Duarte Silva wrote:
> Hi guys,
>
> I'm seeing multiple alerts for the same event in the log files when using
> NFQUEUE. I have the following in the server to be protected:
>
> (No other filtering rules)
> # iptables -t filter -A INPUT -j NFQUEUE --queue-balance 0:1 --queue-bypass
> # iptables -t filter -A OUTPUT -j NFQUEUE --queue-balance 0:1 --queue-bypass
>
> (File to return to client)
> # cat index.html
> HTTP/1.1 OK
>
> uid=0(root) gid=0(root) groups=0(root)
>
> (Listen for connections)
> #ncat -l 0.0.0.0 80 < index.html
>
> Then in the client I do:
>
> $ curl http://xxx.xxx.xxx.xxx
> uid=0(root) gid=0(root) groups=0(root)
>
> This should trigger two alerts due to the following rules (ET free rule set):
>
> - ET ATTACK_RESPONSE Output of id command from HTTP server
> - GPL ATTACK_RESPONSE id check returned root
>
> But I'm receiving 4 alerts for each rule. When running Suricata against the
> packet dump I only get 2 alerts as expected (traffic captured is 10 packets in
> length).
>
> Kernel is 3.10.23 and I tested with Suricata latest from git, 2.1Beta3 and
> 2.0.7 (same behavior in all).
>
> Am I doing something wrong?
Wonder if you perhaps get alerts on retransmissions?
If you enable alert-debug log you should get info on where suri found
the alerts, could be packet vs stream as well?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list