[Oisf-users] Ineffective rules
James Moe
jimoe at sohnen-moe.com
Mon May 4 21:05:53 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
suricata 2.0.7
linux 3.16.7-21-desktop x86_64
Last night suricata exploded in action, logging huge numbers
(2,688,052) of "invalid ack" alerts between 2:19am and 8:58am (when I
stopped suricata). The alerts were only two SIDs: 2210029 and 2210045.
I have two problems with this:
1. Why are the modified rules (see below) not effective? My
understanding is that the alert would be valid for all IPs *except*
192.168.69.245 in either direction.
2. Why do these alerts stop after restarting suricata?
- ----[ modified rules ]----
alert tcp ![192.168.69.245] any <> any any \
(msg:"SURICATA STREAM ESTABLISHED invalid ack"; \
stream-event:est_invalid_ack; sid:2210029; rev:1;)
alert tcp ![192.168.69.245] any <> any any \
(msg:"SURICATA STREAM Packet with invalid ack"; \
stream-event:pkt_invalid_ack; sid:2210045; rev:1;)
- ----[ end ]----
- ----[ 2 of 2,688,052 alerts ]----
05/04/2015-02:19:39.051549 [**] [1:2210029:1] \
SURICATA STREAM ESTABLISHED invalid ack [**] \
[Classification: (null)] [Priority: 3] {TCP} \
192.168.69.245:2049 -> 192.168.69.115:883
05/04/2015-02:19:39.051549 [**] [1:2210045:1] \
SURICATA STREAM Packet with invalid ack [**] \
[Classification: (null)] [Priority: 3] {TCP} \
192.168.69.245:2049 -> 192.168.69.115:883
- ----[ end ]----
28/4/2015 -- 20:10:34 - <Info> - 48 rule files processed. 16417 rules
successfully loaded, 0 rules failed
28/4/2015 -- 20:10:38 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)]
- - Using Pcap capture with GRO or LRO activated can lead to capture
problems
- --
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlVH3zEACgkQzTcr8Prq0ZNXSwCfbmt8fusI1DV3tTgvYFDXPKYB
B9kAoLUei7QRXad2Y9E8R7SLN2/Yf+3A
=vvmL
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list