[Oisf-users] rule understanding questions

David david at damnetwork.net
Mon Mar 25 20:38:20 UTC 2013


Perfect, here it is:

Date: 3/24/2013 -- 00:34:55 (uptime: 2d, 03h 49m 59s)
-------------------------------------------------------------------
Counter                   | TM Name                   | Value
-------------------------------------------------------------------
capture.kernel_packets    | RxAFPeth11                | 5611583
capture.kernel_drops      | RxAFPeth11                | 209
decoder.pkts              | RxAFPeth11                | 5614133
decoder.bytes             | RxAFPeth11                | 527524700
decoder.ipv4              | RxAFPeth11                | 5614101
decoder.ipv6              | RxAFPeth11                | 43
decoder.ethernet          | RxAFPeth11                | 5614133
decoder.raw               | RxAFPeth11                | 0
decoder.sll               | RxAFPeth11                | 0
decoder.tcp               | RxAFPeth11                | 5586627
decoder.udp               | RxAFPeth11                | 24678
decoder.sctp              | RxAFPeth11                | 0
decoder.icmpv4            | RxAFPeth11                | 2815
decoder.icmpv6            | RxAFPeth11                | 0
decoder.ppp               | RxAFPeth11                | 0
decoder.pppoe             | RxAFPeth11                | 0
decoder.gre               | RxAFPeth11                | 0
decoder.vlan              | RxAFPeth11                | 0
decoder.teredo            | RxAFPeth11                | 24
decoder.ipv4_in_ipv6      | RxAFPeth11                | 0
decoder.ipv6_in_ipv6      | RxAFPeth11                | 0
decoder.avg_pkt_size      | RxAFPeth11                | 94
decoder.max_pkt_size      | RxAFPeth11                | 1514
defrag.ipv4.fragments     | RxAFPeth11                | 0
defrag.ipv4.reassembled   | RxAFPeth11                | 0
defrag.ipv4.timeouts      | RxAFPeth11                | 0
defrag.ipv6.fragments     | RxAFPeth11                | 0
defrag.ipv6.reassembled   | RxAFPeth11                | 0
defrag.ipv6.timeouts      | RxAFPeth11                | 0
defrag.max_frag_hits      | RxAFPeth11                | 0
capture.kernel_packets    | RxAFPeth21                | 9107856
capture.kernel_drops      | RxAFPeth21                | 3575
decoder.pkts              | RxAFPeth21                | 9109456
decoder.bytes             | RxAFPeth21                | 11309039291
decoder.ipv4              | RxAFPeth21                | 7694181
decoder.ipv6              | RxAFPeth21                | 1
decoder.ethernet          | RxAFPeth21                | 9109456
decoder.raw               | RxAFPeth21                | 0
decoder.sll               | RxAFPeth21                | 0
decoder.tcp               | RxAFPeth21                | 7656260
decoder.udp               | RxAFPeth21                | 34335
decoder.sctp              | RxAFPeth21                | 0
decoder.icmpv4            | RxAFPeth21                | 476
decoder.icmpv6            | RxAFPeth21                | 0
decoder.ppp               | RxAFPeth21                | 0
decoder.pppoe             | RxAFPeth21                | 0
decoder.gre               | RxAFPeth21                | 0
decoder.vlan              | RxAFPeth21                | 0
decoder.teredo            | RxAFPeth21                | 1
decoder.ipv4_in_ipv6      | RxAFPeth21                | 0
decoder.ipv6_in_ipv6      | RxAFPeth21                | 0
decoder.avg_pkt_size      | RxAFPeth21                | 1241
decoder.max_pkt_size      | RxAFPeth21                | 1514
defrag.ipv4.fragments     | RxAFPeth21                | 0
defrag.ipv4.reassembled   | RxAFPeth21                | 0
defrag.ipv4.timeouts      | RxAFPeth21                | 0
defrag.ipv6.fragments     | RxAFPeth21                | 0
defrag.ipv6.reassembled   | RxAFPeth21                | 0
defrag.ipv6.timeouts      | RxAFPeth21                | 0
defrag.max_frag_hits      | RxAFPeth21                | 0
tcp.sessions              | Detect                    | 20233
tcp.ssn_memcap_drop       | Detect                    | 0
tcp.pseudo                | Detect                    | 3379
tcp.invalid_checksum      | Detect                    | 118
tcp.no_flow               | Detect                    | 0
tcp.reused_ssn            | Detect                    | 0
tcp.memuse                | Detect                    | 18087936
tcp.syn                   | Detect                    | 20386
tcp.synack                | Detect                    | 20461
tcp.rst                   | Detect                    | 26335
tcp.segment_memcap_drop   | Detect                    | 2391
tcp.stream_depth_reached  | Detect                    | 314
tcp.reassembly_memuse     | Detect                    | 33881088
tcp.reassembly_gap        | Detect                    | 840
detect.alert              | Detect                    | 7138315
flow_mgr.closed_pruned    | FlowManagerThread         | 20126
flow_mgr.new_pruned       | FlowManagerThread         | 4255
flow_mgr.est_pruned       | FlowManagerThread         | 22093
flow.memuse               | FlowManagerThread         | 6406336
flow.spare                | FlowManagerThread         | 10000
flow.emerg_mode_entered   | FlowManagerThread         | 0
flow.emerg_mode_over      | FlowManagerThread         | 0
-------------------------------------------------------------------


----- Original Message -----
From: "Victor Julien" <lists at inliniac.net>
To: oisf-users at openinfosecfoundation.org
Sent: Monday, March 25, 2013 10:48:55 AM
Subject: Re: [Oisf-users] rule understanding questions

On 03/25/2013 06:45 PM, David wrote:
> I'm using version 1.4.1.  I copied all the stats.log info from 12:a-12:34a the night I got all the hits, but even gzipped, it's 37k.  I can attach it to an email to the list if thats ok.  Otherwise, I'll have to find a place to put it, heh.

Just the last record is fine, should be ~50 lines.

Cheers,
Victor

> 
> 
> ----- Original Message -----
> From: "Victor Julien" <lists at inliniac.net>
> To: oisf-users at openinfosecfoundation.org
> Sent: Monday, March 25, 2013 9:42:17 AM
> Subject: Re: [Oisf-users] rule understanding questions
> 
> On 03/25/2013 02:45 PM, David wrote:
>> Hi all!
>>
>> I finally have Suricata setup on my home network the way I want, with traffic being monitored via a passive tap.  I'm in the process of filtering the ET rules (I've currently enabled /all/ the rules, just because) so I'm not getting flooded with info.  Some of the alerts I'm getting I understand (SSH scan attacks, etc), however, there are a few I'm not sure of.  
>>
>> In the context of /what/ they are I understand (I understand the tcp 3-way handshake, for example). It's the context of /why/ I'm being alerted that's alluding me.
>>
>> 2210000 - SURICATA STREAM 3way handshake with ack in wrong dir 
>> - I got over 3 million dings for this one while my wife was watching something on netflix.
>>
>> 2210010 - SURICATA STREAM 3way handshake wrong seq wrong ack
>> - These all originate from my local external IP address, during the same "watching netflix" window of time. Over a million dings.
>>
>> 2210020 - SURICATA STREAM ESTABLISHED packet out of window
>> - Same netflix window, about 500,000 dings
>>
>> 2210045 - SURICATA STREAM Packet with invalid ack
>> - Again, netflix
>>
>> 2210029 - SURICATA STREAM ESTABLISHED invalid ack
>> - Netflix, you jerk.  
>>
>> I've googled most of these, however, the results are generally links to the ET rulesets, not to anything that helps me understand what causes these alerts.  I've set some threshold rules for them, so I'm not flooding splunk with extreneous info.
>>
>> Can anyone point me in a direction where I can find out why these are being generated?
> 
> What version of Suricata are you running? We improved this quite a bit
> in 1.4.
> 
> Are you seeing a lot of pkt loss? Maybe you can share a record of the
> stats.log, this should give us an idea on that.
> 
> Cheers,
> Victor
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/



More information about the Oisf-users mailing list