[Oisf-users] Question about Suricata Stream alerts

C. L. Martinez carlopmart at gmail.com
Thu Apr 28 10:57:45 UTC 2016 

Hi all,

 I am doing some tests with Suricata 3.0.1 in a KVM guest (FreeBSD 10.3) and I receiving alerts like this:

04/28/2016-10:11:41.046712  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
04/28/2016-10:11:41.047621  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
04/28/2016-10:11:41.088376  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
04/28/2016-10:11:41.089728  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
04/28/2016-10:11:41.089737  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
04/28/2016-10:11:41.090450  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
04/28/2016-10:11:41.091623  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
04/28/2016-10:11:41.091631  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
04/28/2016-10:11:41.092677  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
04/28/2016-10:11:41.127861  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
04/28/2016-10:11:41.127870  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
04/28/2016-10:11:41.127876  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
04/28/2016-10:11:41.129864  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
04/28/2016-10:11:41.166793  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
04/28/2016-10:11:41.168247  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952
04/28/2016-10:11:41.168252  [**] [1:2210044:1] SURICATA STREAM Packet with invalid timestamp [**] [Classification: (null)] [Priority: 3] {TCP} 172.22.55.1:36952 -> 64.233.167.109:993
04/28/2016-10:11:41.168834  [**] [1:2210021:2] SURICATA STREAM ESTABLISHED retransmission packet before last ack [**] [Classification: (null)] [Priority: 3] {TCP} 64.233.167.109:993 -> 172.22.55.1:36952

 I think I have done some misconfiguration on my tc rules or with suricata config. To do this port mirroring, I am using rules like these ones:

$tc qdisc add dev $m ingress
$tc filter add dev $m parent ffff: protocol all u32 match u8 0 0 action mirred egress mirror dev idsif
$tc qdisc add dev $m handle 1: root prio
$tc filter add dev $m parent 1: protocol all u32 match u8 0 0 action mirred egress mirror dev idsif

 "$m" is the physical bridge inside KVM host. I am doing port mirroring for three internal bridges: prodif, vpnif adn wapif. But I am not doing port mirroring for the external bridge: extif. (idsif is the destination bridge where all traffic is mirrored).

 I have changed mtu to 1514 for these three bridges (and in idsif bridge also) and I have disabled "rx tx sg tso ufo gso gro lro" via ethtool for all bridges.

 But I think that suricata doesn't "see" the full packet ... Am I right??

-- 
Greetings,
C. L. Martinez

More information about the Oisf-users mailing list