[Oisf-users] rule understanding questions

David david at damnetwork.net
Mon Mar 25 13:45:27 UTC 2013

Hi all!

I finally have Suricata setup on my home network the way I want, with traffic being monitored via a passive tap.  I'm in the process of filtering the ET rules (I've currently enabled /all/ the rules, just because) so I'm not getting flooded with info.  Some of the alerts I'm getting I understand (SSH scan attacks, etc), however, there are a few I'm not sure of.  

In the context of /what/ they are I understand (I understand the tcp 3-way handshake, for example). It's the context of /why/ I'm being alerted that's alluding me.

2210000 - SURICATA STREAM 3way handshake with ack in wrong dir 
- I got over 3 million dings for this one while my wife was watching something on netflix.

2210010 - SURICATA STREAM 3way handshake wrong seq wrong ack
- These all originate from my local external IP address, during the same "watching netflix" window of time. Over a million dings.

2210020 - SURICATA STREAM ESTABLISHED packet out of window
- Same netflix window, about 500,000 dings

2210045 - SURICATA STREAM Packet with invalid ack
- Again, netflix

- Netflix, you jerk.  

I've googled most of these, however, the results are generally links to the ET rulesets, not to anything that helps me understand what causes these alerts.  I've set some threshold rules for them, so I'm not flooding splunk with extreneous info.

Can anyone point me in a direction where I can find out why these are being generated?

Thanks again for any help!


"I find your lack of faith disturbing."
--Darth Vader

More information about the Oisf-users mailing list