[Oisf-users] Suricata goes wild with SURICATA STREAM alerts
Victor Julien
lists at inliniac.net
Tue Jul 12 20:01:16 UTC 2016
On 12-07-16 21:55, Cooper F. Nelson wrote:
> What kernel version are you using?
>
> There is a bug in the 4.2 and higher Linux kernel versions with the RSS
> implementation. I was seeing those issues and reverting to the 4.1
> release fixed it.
That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the
fix will be backported to stable kernels.
This post may be helpful as well
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture
>
> -Coop
>
> On 7/12/2016 12:46 PM, Marius wrote:
>> The rules, which indicate an error, are mostly stream engine related:
>> SURICATA STREAM 3way handshake with ack in wrong dir [Classification:
>> (null)]
>> SURICATA STREAM ESTABLISHED packet out of window
>> SURICATA STREAM ESTABLISHED invalid ack
>> SURICATA STREAM Packet with invalid ack
>> SURICATA STREAM FIN invalid ack
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list