[Oisf-users] Ineffective rules

Cooper F. Nelson cnelson at ucsd.edu
Mon May 4 21:11:50 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 5/4/2015 2:05 PM, James Moe wrote:
>   Last night suricata exploded in action, logging huge numbers
> (2,688,052) of "invalid ack" alerts between 2:19am and 8:58am (when I
> stopped suricata). The alerts were only two SIDs: 2210029 and 2210045.

This is probably because you have not disabled GRO/LRO:

> - Using Pcap capture with GRO or LRO activated can lead to capture
> problems

>   I have two problems with this:
> 1. Why are the modified rules (see below) not effective? My
> understanding is that the alert would be valid for all IPs *except*
> 192.168.69.245 in either direction.

You are only disabling the alert for packets from 192.168.69.245, not to
192.168.69.245.

> 2. Why do these alerts stop after restarting suricata?

Dunno, may be an issue with the kernel or NIC driver.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVR+CWAAoJEKIFRYQsa8FW//wIAJyqCj83U0TRjJ/rpGAtFtIS
bCk86gY+a89Jts8jYBt4RvRPTBOBjOb3ZpDzBxxQV8I4+wtv8yiOtTN8Uw0n4g+U
CWNgkIXqHwV5LH4QWTIEt/ahO7viytwSSlyWIWoQne3rBTzDrcu9Rj0QMIXpVzeF
kE7yJ8YHOceC3kJYqbn3zzQJ4o8f6ou2TYKKhxa5yibMixT77XPiOP7nW6CsMzrJ
vNm42+6Gc4eA4W1HzWR2JU5Kp7h8730JmxGBTP+CeIiEBoRgD9dOXKBNu3X40tvA
HkUxlGt2zgc3U4aZRj5fsLadi6mLT3DtDYCGmJc1AhjumSaPIKJXs8fRzNnEkdY=
=3+K3
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list