[Oisf-users] Suricata goes wild with SURICATA STREAM alerts

Marius mciepluch at web.de
Tue Jul 12 20:16:29 UTC 2016


I'm on 4.0.5-gentoo.


On 12 July 2016 at 20:01, Victor Julien <lists at inliniac.net> wrote:

> On 12-07-16 21:55, Cooper F. Nelson wrote:
> > What kernel version are you using?
> >
> > There is a bug in the 4.2 and higher Linux kernel versions with the RSS
> > implementation.  I was seeing those issues and reverting to the 4.1
> > release fixed it.
>
> That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the
> fix will be backported to stable kernels.
>
> This post may be helpful as well
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture
>
>
> >
> > -Coop
> >
> > On 7/12/2016 12:46 PM, Marius wrote:
> >> The rules, which indicate an error, are mostly stream engine related:
> >> SURICATA STREAM 3way handshake with ack in wrong dir [Classification:
> >> (null)]
> >> SURICATA STREAM ESTABLISHED packet out of window
> >> SURICATA STREAM ESTABLISHED invalid ack
> >> SURICATA STREAM Packet with invalid ack
> >> SURICATA STREAM FIN invalid ack
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



On 12 July 2016 at 20:01, Victor Julien <lists at inliniac.net> wrote:

> On 12-07-16 21:55, Cooper F. Nelson wrote:
> > What kernel version are you using?
> >
> > There is a bug in the 4.2 and higher Linux kernel versions with the RSS
> > implementation.  I was seeing those issues and reverting to the 4.1
> > release fixed it.
>
> That bug is still there, it's fixed in kernel 4.7rc7 and hopefully the
> fix will be backported to stable kernels.
>
> This post may be helpful as well
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Capture
>
>
> >
> > -Coop
> >
> > On 7/12/2016 12:46 PM, Marius wrote:
> >> The rules, which indicate an error, are mostly stream engine related:
> >> SURICATA STREAM 3way handshake with ack in wrong dir [Classification:
> >> (null)]
> >> SURICATA STREAM ESTABLISHED packet out of window
> >> SURICATA STREAM ESTABLISHED invalid ack
> >> SURICATA STREAM Packet with invalid ack
> >> SURICATA STREAM FIN invalid ack
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160712/fbedc8de/attachment-0002.html>


More information about the Oisf-users mailing list