[Oisf-users] rule understanding questions

David david at damnetwork.net
Mon Mar 25 17:45:09 UTC 2013

I'm using version 1.4.1.  I copied all the stats.log info from 12:a-12:34a the night I got all the hits, but even gzipped, it's 37k.  I can attach it to an email to the list if thats ok.  Otherwise, I'll have to find a place to put it, heh.

----- Original Message -----
From: "Victor Julien" <lists at inliniac.net>
To: oisf-users at openinfosecfoundation.org
Sent: Monday, March 25, 2013 9:42:17 AM
Subject: Re: [Oisf-users] rule understanding questions

On 03/25/2013 02:45 PM, David wrote:
> Hi all!
> I finally have Suricata setup on my home network the way I want, with traffic being monitored via a passive tap.  I'm in the process of filtering the ET rules (I've currently enabled /all/ the rules, just because) so I'm not getting flooded with info.  Some of the alerts I'm getting I understand (SSH scan attacks, etc), however, there are a few I'm not sure of.  
> In the context of /what/ they are I understand (I understand the tcp 3-way handshake, for example). It's the context of /why/ I'm being alerted that's alluding me.
> 2210000 - SURICATA STREAM 3way handshake with ack in wrong dir 
> - I got over 3 million dings for this one while my wife was watching something on netflix.
> 2210010 - SURICATA STREAM 3way handshake wrong seq wrong ack
> - These all originate from my local external IP address, during the same "watching netflix" window of time. Over a million dings.
> 2210020 - SURICATA STREAM ESTABLISHED packet out of window
> - Same netflix window, about 500,000 dings
> 2210045 - SURICATA STREAM Packet with invalid ack
> - Again, netflix
> 2210029 - SURICATA STREAM ESTABLISHED invalid ack
> - Netflix, you jerk.  
> I've googled most of these, however, the results are generally links to the ET rulesets, not to anything that helps me understand what causes these alerts.  I've set some threshold rules for them, so I'm not flooding splunk with extreneous info.
> Can anyone point me in a direction where I can find out why these are being generated?

What version of Suricata are you running? We improved this quite a bit
in 1.4.

Are you seeing a lot of pkt loss? Maybe you can share a record of the
stats.log, this should give us an idea on that.


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list