[Oisf-users] Suricata "causing" alerts?

[Cooper F. Nelson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is just a general FYI, but lots of sites (like us for example) have
the STREAM rules disabled.

Re: the particular issue you are seeing, it sounds like you still have
some offloading features enabled on your nic.  Could you run 'sudo
ethtool -k eth0' and copy the results here?

- -Coop

On 5/11/2015 10:36 AM, James Moe wrote:
> Hello,
>   suricata 2.0.7
>   linux 3.16.7-21-desktop x86_64
> 
>   Suricata seems to be creating alerts to log.
>   A backup job runs every morning at 1:20am, copying whatever has
> changed on the host to the backup system. It generates an explosion of
> "invalid ack" (2210029, 2210045) and "retransmission packet before
> last ack" (2210020) log entries. I have set a threshold on these so
> the log file does not consume all of the free space.
>   The alerts continued until suricata was restarted at 10:00am. Then
> all is quiet until 1:20am the next morning.
>   The fact that the alerts stop after the restart is quite suspicious.
> I had thought it was because the gro feature was set in the network
> interface. As noted in the verbose output below, that is not the case
> here.
> 
>   What else could cause suricata to generate these alerts until a restart?
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVUPKKAAoJEKIFRYQsa8FW7q8H/0eyD9+dpQMNswcgKsvk0mmM
wI5LXP/l5jG1fpMhRf7tol2Xsv7jJaFuqxyrt6NDJqtgXzDsdx5s3GMzwKyKW0Ix
WgLzVppsT3X3gG4lk50LVCQT/Hb0goi4Up1LAK8g/+4ynD6kcQmXsuRlQ29DkojR
vbStZ+WU5CR6yW6BHZD1waxYfeEODZZC2I45GexISTSWQUCFYaqiK6a7zCNvhdY+
Y91JWyICL5CvY3u/bvZVp+lin6UWKif2b9g5E7dcqy38fpmjh2UiLiYf6XFd4Mtz
rfalOApTv6yVnFD4FSUqyglY64c2NPiMhQE1dRIZQ9idBcwReotTBpKmYhFqYbk=
=l2HR
-----END PGP SIGNATURE-----